The entry point
An image-fetch feature accepted arbitrary URLs. Classic SSRF — but the interesting question is never “does it fetch,” it’s “what can it reach.”
Escalation
The engine pivoted the SSRF at the cloud instance metadata endpoint, retrieved temporary credentials, and confirmed their blast radius with a controlled, read-only experiment before stopping — proof of impact without causing any.
See it on your own surface.
Book a live run and watch Cybörü prove what's exploitable.
Test Your Security