| Titolo | mosaxiv clawlet 0.2.10 Server-Side Request Forgery (SSRF) (CWE-918) |
|---|
| Descrizione | # Technical Details
An SSRF vulnerability exists in the `(*Registry).webFetch` request path in `tools/tool_web_fetch.go`, using policy logic from `tools/web_fetch_policy.go`, of clawlet.
The application fails to classify and block special-use IPv4 literal destinations before issuing outbound requests. Host validation only applies domain-pattern allow/block checks, and the default policy remains permissive, so addresses such as `x.x.x.x` are treated as allowed.
# Vulnerable Code
File: `tools/tool_web_fetch.go`, `tools/web_fetch_policy.go`
Method: `(*Registry).webFetch`, `allowHostByPolicy`
Why: `(*Registry).webFetch` normalizes the host and delegates authorization to `allowHostByPolicy`, but that helper only checks wildcard/domain patterns and does not reject benchmark, reserved, loopback, private, or other non-global IPv4 destinations before `http.Client.Do`.
# Reproduction
1. Use an affected clawlet checkout with the default or otherwise permissive `web_fetch` policy.
2. Trigger the real `tools.Registry.Execute("web_fetch", ...)` path with the target URL `http://x.x.x.x:18080/internal`.
3. Confirm the request is sent and a canary response is returned, then repeat with `x.x.x.x` added to blocked domains to verify the control case is denied before network access.
# Impact
- An attacker can use the clawlet host as an SSRF primitive to reach special-use IPv4 HTTP services.
- Internal or non-public HTTP content can be fetched and returned through tool output.
- Redirect validation inherits the same weakness because it reuses the same incomplete host policy. |
|---|
| Fonte | ⚠️ https://github.com/mosaxiv/clawlet/issues/13 |
|---|
| Utente | Eric-b (UID 96354) |
|---|
| Sottomissione | 11/06/2026 08:58 (1 mese fa) |
|---|
| Moderazione | 13/07/2026 18:57 (1 month later) |
|---|
| Stato | Accettato |
|---|
| Voce VulDB | 378122 [mosaxiv clawlet fino a 0.2.10 IPv4 tools/tool_web_fetch.go web_fetch url escalationi di privilegi] |
|---|
| Punti | 20 |
|---|