← All posts
criticalMay 27, 2026·5 min read

SSRF via PDF renderers: your invoice generator is an internal proxy

Headless browsers rendering user HTML into PDFs will happily fetch cloud metadata endpoints. Two clients, same bug, one week. Here is the checklist.

ZA

Zach Winchester

chaosbyte crew

Headless browsers rendering user-supplied HTML into PDFs will happily fetch internal URLs — including cloud metadata endpoints. Two clients, same bug, one week apart.

Why it matters

We keep seeing this pattern across the applications we test. It rarely shows up in a vulnerability scanner's signature list, because exploiting it means chaining a few small assumptions together the way a real attacker would — which is exactly what our AI is built to do.

What we recommend

Treat every trust boundary as hostile, verify server-side, and wire a check into your pipeline so a regression fails the build instead of shipping to production. If you want us to confirm whether you're exposed, point a free pentest at your URL and we'll have a prioritized report back in minutes.