Cloud Metadata Potentially Exposed

The Cloud Metadata Attack attempts to abuse a misconfigured NGINX server in order to access the instance metadata maintained by cloud service providers such as AWS, GCP and Azure. All of these providers provide metadata via an internal unroutable IP address '169.254.169.254' - this can be exposed by incorrectly configured NGINX servers and accessed by using this IP address in the Host header field.

Exposing cloud metadata services allows attackers to retrieve highly sensitive information including IAM role credentials, API keys, and instance configuration details. By manipulating the Host header to 169.254.169.254 on misconfigured NGINX servers, attackers can proxy requests to the cloud metadata API and obtain temporary security credentials with the permissions of the instance role. These credentials can then be used to access cloud resources, escalate privileges, or move laterally within the cloud environment, potentially leading to full account compromise.

Do not trust any user data in NGINX configs. In this case it is probably the use of the $host variable which is set from the 'Host' header and can be controlled by an attacker.