There are many reasons your web-server might make outgoing HTTP requests, including calling third-party web-services or accessing meta-data from remote URLs.
If your web-server makes HTTP requests to arbitrary domains that can be chosen by an attacker, you may be vulnerable to server-side request forgery (SSRF) attacks.
A site like this typically generate preview information for each URL a user shares, which will be generated from the meta-data on the remote page. This often entails making an HTTP request from web-server each time a link is shared.
This gives an attacker an opportunity to trigger HTTP requests from your web-server to URLs of their choosing.
One risk is that an attacker will launch a denial-of-service attack on a third party by using you as a proxy - an attack you will get blamed for.
By spamming your server with requests to fetch meta-data from a third-party domain, the attacker overwhelm that website while hiding behind your web server.
Another risk is that an attacker will be able to probe your internal network by triggering requests to private IP addresses.
If the responses from these HTTP requests are leaked - for instance, in error messages - the attacker may even be able to read information from sensitive data stores.
