Server Side Request Forgery (SSRF)
ColdFusion Security Guide

What are Server Side Request Forgeries (SSRF) and how can you avoid them in your ColdFusion / Lucee code?

The Risk

Make a request (such as a HTTP request) from your server can be used to bypass the network firewall. Your ColdFusion or Lucee server may be allowed to request certain IP addresses that should not be directly accessible to the public or your end users.

In addition most cloud environments have a Meta Data API that is accessible to your cloud server instance. This meta data api will contain sensitive information that can cause further compromise.

A Vulnerable Example

<cfhttp url="#form.feed#">

Where to look in your CFML code?

There are several tags and functions that can make a HTTP request. The cfhttp tag is the obvious example, but any tag or function that deals with file paths very likely supports urls.

cfhttp
cffeed
cfdocument
cfhtmltopdf
xmlParse

See the Additional Resources section for more tags / functions.

Mitigating SSRF in your CFML Code

Take care to review and validate the inputs to the impacted tags and functions. Ensure that only trusted values are allowed.

Additional Mitigation Techniques

If you are on a cloud provider you may be able to disable the instance metadata api. On AWS a new version of the instance meta data api was created IMDSv2 help mitigate SSRF attacks against this endpoint, so you may want to disable IMDSv1.
Restrict outbound network connections from your ColdFusion or Lucee servers to only allow them to connect to IPs that are required.

Additional Resources

SSRF Tags and Functions - Brian Reilly has come up with a list of tags and functions that may accept a URL in ColdFusion and on Lucee.
SSRF Prevention Cheatsheet - Prevention and write up from OWASP.