Curl-url-http-3a-2f-2f169.254.169.254-2flatest-2fapi-2ftoken May 2026

Understanding the AWS IMDSv2 Token Fetch Command: curl 169.254.169

1. Attacker finds curl-url-http-3A-2F-2F169.254.169.254-2Flatest-2Fapi-2Ftoken in your logs.
2. They decode it to curl http://169.254.169.254/latest/api/token.
3. They exploit a Server-Side Request Forgery (SSRF) vulnerability in your web app to make the server request its own metadata service.
4. They get the IMDSv2 token.
5. They use that token to fetch IAM role credentials.
6. They use those credentials to access S3 buckets, launch EC2 instances, or delete resources.

Cloud infrastructure relies heavily on metadata services to provide running instances with identity credentials, user data, and network configuration. In Amazon Web Services (AWS), this is handled by the Instance Metadata Service (IMDS), accessible via the link-local IP address 169.254.169.254 . curl-url-http-3A-2F-2F169.254.169.254-2Flatest-2Fapi-2Ftoken

If the attacker supplies:

Security Considerations

Once you have the $TOKEN , you can access the metadata safely: Understanding the AWS IMDSv2 Token Fetch Command: curl 169

Part 1: What Is 169.254.169.254?

The server makes a request from its internal IP to the metadata service, retrieves the token, and potentially returns it in an error message or redirect. Attacker finds curl-url-http-3A-2F-2F169