| Título | Sipeed PicoClaw <= 0.2.9 Server-Side Request Forgery (CWE-918) |
|---|
| Descripción | # Technical Details
A Server-Side Request Forgery guard bypass exists in the `web_fetch` IP classifier in `pkg/tools/integration/web.go` of PicoClaw.
The application fails to recognize RFC 5214 ISATAP IPv6 literals that embed loopback or private IPv4 addresses behind `:5efe:`. The classifier handles direct IPv4, 6to4, and Teredo, but does not decode ISATAP before returning `false`.
# Vulnerable Code
File: `pkg/tools/integration/web.go`
Method: `WebFetchTool.Execute`
Why: Performs preflight private-host checks that rely on an incomplete IP classifier.
File: `pkg/tools/integration/web.go`
Method: `isPrivateOrRestrictedIP`
Why: Handles direct IPv4, 6to4, and Teredo, but omits ISATAP embedded IPv4 decoding.
File: `pkg/tools/integration/web.go`
Method: `newSafeDialContext`
Why: Uses the same incomplete classifier at connect time, allowing misclassified ISATAP payloads to proceed.
# Reproduction
1. Invoke the exported `web_fetch` tool with `http://[2001:db8:1234::5efe:127.0.0.1]:80/canary`.
2. Observe the crafted ISATAP payload is not rejected as private/local and returns a fetch result.
3. Invoke a protected control payload such as a 6to4-embedded loopback address.
4. Observe the control is blocked with `fetching private or local network hosts is not allowed`.
# Impact
- Bypasses built-in SSRF protections for crafted IPv6 literals.
- Allows requests toward loopback or private-network HTTP services that should be forbidden.
- May expose local admin interfaces, sidecars, internal metadata, or HTTP-reachable internal services. |
|---|
| Fuente | ⚠️ https://github.com/sipeed/picoclaw/issues/3074 |
|---|
| Usuario | Eric-i (UID 97584) |
|---|
| Sumisión | 2026-06-09 13:29 (hace 1 mes) |
|---|
| Moderación | 2026-07-17 15:50 (1 month later) |
|---|
| Estado | Aceptado |
|---|
| Entrada de VulDB | 379796 [Sipeed PicoClaw hasta 0.2.9 web.go web_fetch escalada de privilegios] |
|---|
| Puntos | 20 |
|---|