Blind SSRF reaching cloud metadata through a PDF renderer

A server-side HTML-to-PDF feature followed redirects to 169.254.169.254 and embedded IAM creds in the output.

The renderer fetched remote resources without an allow-list and followed redirects. A crafted document pointed at the link-local metadata endpoint, and the temporary IAM credentials landed in the rendered PDF. Fix: block link-local/metadata ranges, disable redirects, require IMDSv2.