The Irony
LLM Guard is a security tool — it's supposed to protect LLM applications from malicious inputs. But during a routine automated audit, we found that the tool itself has a Server-Side Request Forgery (SSRF) vulnerability that could let attackers probe internal networks.
The Vulnerability
In llm_guard/output_scanners/url_reachabitlity.py, line 38:
response = requests.get(url, timeout=self._timeout)
The url_reachability scanner takes a URL from LLM output and makes a direct HTTP request to it — without any validation, allowlist, or sanitization.
An attacker who can control LLM output (via prompt injection) can make the scanner hit any internal URL:
# Probe internal Redis
http://localhost:6379
# Cloud metadata endpoints
http://169.254.169.254/latest/meta-data/
# Internal services
http://internal-db.example.com:5432
CVSS Score: 7.5 (HIGH)
The vulnerability is trivial to exploit:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Confidentiality: High (can read internal service responses)
How We Found It
We used Correctover CCS, our automated code security scanner. CCS detects 24 vulnerability patterns in AI/LLM infrastructure code. It flagged this within seconds:
$ correctover-ccs scan protectai/llm-guard --json
→ MCP-SSRF-001: requests.get(url) without allowlist
→ Confidence: 91%
→ CVSS: 7.5
The Fix
Add a URL allowlist before making requests:
ALLOWED_DOMAINS = ('example.com', 'api.trusted-service.com')
ALLOWED_PROTOCOLS = https
def validate_url(url: str) -> bool:
parsed = urllib.parse.urlparse(url)
if parsed.scheme not in ALLOWED_PROTOCOLS:
return False
if not any(parsed.netloc.endswith(d) for d in ALLOWED_DOMAINS):
return False
return True
Disclosure
The repository (protectai/llm-guard) was found to be archived — no active maintainer could be reached. This article serves as public disclosure. If the project is revived, we're happy to assist with a fix.
Timeline
| Date | Event |
|---|---|
| 2026-07-14 | Vulnerability discovered via automated scan |
| 2026-07-14 | Repo found archived; public disclosure published |
Lessons Learned
- Security tools need security reviews too — especially ones that make network calls
-
Automated scanning catches the obvious — SSRF patterns like
requests.get(url)are easy to regex-match - LLM output scanning is a new attack surface — scanners that process model output need more hardening, not less
Want a Free Audit?
We're offering free automated security audits for AI/LLM open-source projects. If you maintain an MCP server, LLM tool, or AI agent framework, we'll scan it and send you a detailed report.
Contact us at team@correctover.com or check out Correctover CCS.
Correctover CCS is an automated code security scanner for AI/LLM infrastructure. It detects 24 vulnerability patterns including RCE, command injection, deserialization, and SSRF.
Top comments (0)