A cloud metadata endpoint is a special local URL exposed by some cloud platforms that returns information about the running instance or workload, such as instance identity data, configuration details, or temporary credentials. It is meant to be reached only from inside the cloud host, not from the public internet.
This matters because server-side request forgery, or SSRF, can trick an application server into making requests on an attacker’s behalf. If an SSRF flaw can reach the metadata endpoint, the server may disclose sensitive tokens or role credentials that can be used to access other cloud services. Defenders reduce this risk by blocking access to metadata services where possible, enforcing strict egress controls, using hop limits or metadata protections offered by the provider, and placing reverse proxies and network filtering in front of self-hosted applications. In practice, a metadata endpoint is a high-value internal target whenever a server can be persuaded to fetch arbitrary URLs.