DEV Community

correctover
correctover

Posted on

Even LLM Security Tools Have Vulnerabilities: SSRF in protectai/llm-guard

The Irony

LLM Guard is a security tool — it's supposed to protect LLM applications from malicious inputs. But during a routine automated audit, we found that the tool itself has a Server-Side Request Forgery (SSRF) vulnerability that could let attackers probe internal networks.

The Vulnerability

In llm_guard/output_scanners/url_reachabitlity.py, line 38:

response = requests.get(url, timeout=self._timeout)
Enter fullscreen mode Exit fullscreen mode

The url_reachability scanner takes a URL from LLM output and makes a direct HTTP request to it — without any validation, allowlist, or sanitization.

An attacker who can control LLM output (via prompt injection) can make the scanner hit any internal URL:

# Probe internal Redis
http://localhost:6379

# Cloud metadata endpoints
http://169.254.169.254/latest/meta-data/

# Internal services
http://internal-db.example.com:5432
Enter fullscreen mode Exit fullscreen mode

CVSS Score: 7.5 (HIGH)

The vulnerability is trivial to exploit:

  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality: High (can read internal service responses)

How We Found It

We used Correctover CCS, our automated code security scanner. CCS detects 24 vulnerability patterns in AI/LLM infrastructure code. It flagged this within seconds:

$ correctover-ccs scan protectai/llm-guard --json
→ MCP-SSRF-001: requests.get(url) without allowlist
→ Confidence: 91%
→ CVSS: 7.5
Enter fullscreen mode Exit fullscreen mode

The Fix

Add a URL allowlist before making requests:

ALLOWED_DOMAINS = ('example.com', 'api.trusted-service.com')
ALLOWED_PROTOCOLS = https

def validate_url(url: str) -> bool:
    parsed = urllib.parse.urlparse(url)
    if parsed.scheme not in ALLOWED_PROTOCOLS:
        return False
    if not any(parsed.netloc.endswith(d) for d in ALLOWED_DOMAINS):
        return False
    return True
Enter fullscreen mode Exit fullscreen mode

Disclosure

The repository (protectai/llm-guard) was found to be archived — no active maintainer could be reached. This article serves as public disclosure. If the project is revived, we're happy to assist with a fix.

Timeline

Date Event
2026-07-14 Vulnerability discovered via automated scan
2026-07-14 Repo found archived; public disclosure published

Lessons Learned

  1. Security tools need security reviews too — especially ones that make network calls
  2. Automated scanning catches the obvious — SSRF patterns like requests.get(url) are easy to regex-match
  3. LLM output scanning is a new attack surface — scanners that process model output need more hardening, not less

Want a Free Audit?

We're offering free automated security audits for AI/LLM open-source projects. If you maintain an MCP server, LLM tool, or AI agent framework, we'll scan it and send you a detailed report.

Contact us at team@correctover.com or check out Correctover CCS.


Correctover CCS is an automated code security scanner for AI/LLM infrastructure. It detects 24 vulnerability patterns including RCE, command injection, deserialization, and SSRF.

Top comments (0)