diff --git a/src/main/java/org/b3log/solo/processor/FetchUploadProcessor.java b/src/main/java/org/b3log/solo/processor/FetchUploadProcessor.java
index c2e9c8528..7a7030d7e 100644
--- a/src/main/java/org/b3log/solo/processor/FetchUploadProcessor.java
+++ b/src/main/java/org/b3log/solo/processor/FetchUploadProcessor.java
@@ -63,6 +63,19 @@ public void fetchUpload(final RequestContext context) {
             return;
         }
 
+        // SSRF protection: block requests to private/internal IPs
+        try {
+            final java.net.URL parsedUrl = new java.net.URL(originalURL);
+            final java.net.InetAddress address = java.net.InetAddress.getByName(parsedUrl.getHost());
+            if (address.isLoopbackAddress() || address.isSiteLocalAddress() || address.isLinkLocalAddress()) {
+                LOGGER.log(Level.WARN, "Blocked SSRF attempt to private IP: " + originalURL);
+                return;
+            }
+        } catch (final Exception e) {
+            LOGGER.log(Level.WARN, "Failed to resolve URL host: " + originalURL);
+            return;
+        }
+
         if (Images.uploaded(originalURL)) {
             return;
         }