जमा करें #829407: nextlevelbuilder GoClaw <= 3.11.3 Server-Side Request Forgery (SSRF) (CWE-918)जानकारी

शीर्षक	nextlevelbuilder GoClaw <= 3.11.3 Server-Side Request Forgery (SSRF) (CWE-918)
विवरण	# Technical Details A Server-Side Request Forgery (SSRF) vulnerability exists in the `TTSConfigHandler.handleSave` method in `internal/http/tts_config.go` of GoClaw. The application fails to validate provider-controlled TTS `api_base` URLs before persisting them through `POST /v1/tts/config`. The separate `POST /v1/tts/test-connection` path uses `validateProviderURL()` to reject private and metadata-service addresses, but `handleSave` omits that validation. As a result, an attacker with access to the TTS configuration endpoint can store an internal URL such as `http://x.x.x.x/latest/meta-data`, and later force the backend to contact it during TTS synthesis through `POST /v1/tts/synthesize`. # Vulnerable Code File: internal/http/tts_config.go Method: TTSConfigHandler.handleSave Why: The method accepts provider-specific `api_base` values from OpenAI, ElevenLabs, and similar TTS provider configurations, resolves them with helpers such as `resolvedAPIBase()`, and stores them in `system_configs` without calling `validateProviderURL()` or otherwise blocking localhost, private network, or cloud metadata endpoints. # Reproduction 1. Run a vulnerable GoClaw deployment with PostgreSQL and access to `POST /v1/tts/config`. 2. Send a TTS configuration request that sets a provider `api_base` to an internal target such as `http://x.x.x.x/latest/meta-data`. 3. Confirm the server returns success and the malicious `api_base` is persisted in `system_configs`. 4. Trigger TTS synthesis with `POST /v1/tts/synthesize`. 5. Observe that the backend attempts to contact the internal target, typically producing a timeout or backend log entry showing the outbound request attempt. # Impact - Authenticated administrative users, or users in default/dev single-user deployments, can force the server to make requests to internal network resources. - Cloud deployments may expose metadata service endpoints and IAM credentials. - Attackers can perform blind internal network probing or interact with private services that are not externally reachable.
स्रोत	⚠️ https://github.com/nextlevelbuilder/goclaw/issues/1132
उपयोगकर्ता	Eric-b (UID 96354)
सबमिशन	14/05/2026 07:22 AM (22 दिन पहले)
संयम	01/06/2026 08:17 PM (19 days later)
स्थिति	स्वीकृत
VulDB प्रविष्टि	367710 [nextlevelbuilder GoClaw तक 3.11.3 TTS Configuration Endpoint tts_config.go import अधिकार वृद्धि]
अंक	20

◂ पिछला सिंहावलोकन अगला ▸

Do you know our Splunk app?

Download it now for free!