A vulnerability in a web server that exists due to a lack of malicious user input detection, sanitation, and validation checks. SSRF vulnerabilities don't validate the user provided URL endpoints before processing/calling the URL endpoints. This allows a bad-actor to make requests to bogon IP addresses (127.0.0.1, 169.254.0.0/16, fe80::1, etc) which often can force the web server to reveal sensitive data and website administration pages that only run on localhost to a bad-actor on the public internet.