| タイトル | mosaxiv clawlet 0.2.10 Server-Side Request Forgery (SSRF) (CWE-918) |
|---|
| 説明 | # Technical Details
An SSRF vulnerability exists in the `(*Registry).webFetch` request path in `tools/tool_web_fetch.go`, using policy logic from `tools/web_fetch_policy.go`, of clawlet.
The application fails to classify and block special-use IPv4 literal destinations before issuing outbound requests. Host validation only applies domain-pattern allow/block checks, and the default policy remains permissive, so addresses such as `x.x.x.x` are treated as allowed.
# Vulnerable Code
File: `tools/tool_web_fetch.go`, `tools/web_fetch_policy.go`
Method: `(*Registry).webFetch`, `allowHostByPolicy`
Why: `(*Registry).webFetch` normalizes the host and delegates authorization to `allowHostByPolicy`, but that helper only checks wildcard/domain patterns and does not reject benchmark, reserved, loopback, private, or other non-global IPv4 destinations before `http.Client.Do`.
# Reproduction
1. Use an affected clawlet checkout with the default or otherwise permissive `web_fetch` policy.
2. Trigger the real `tools.Registry.Execute("web_fetch", ...)` path with the target URL `http://x.x.x.x:18080/internal`.
3. Confirm the request is sent and a canary response is returned, then repeat with `x.x.x.x` added to blocked domains to verify the control case is denied before network access.
# Impact
- An attacker can use the clawlet host as an SSRF primitive to reach special-use IPv4 HTTP services.
- Internal or non-public HTTP content can be fetched and returned through tool output.
- Redirect validation inherits the same weakness because it reuses the same incomplete host policy. |
|---|
| ソース | ⚠️ https://github.com/mosaxiv/clawlet/issues/13 |
|---|
| ユーザー | Eric-b (UID 96354) |
|---|
| 送信 | 2026年06月11日 08:58 (1 月 ago) |
|---|
| モデレーション | 2026年07月13日 18:57 (1 month later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 378122 [mosaxiv clawlet 迄 0.2.10 IPv4 tools/tool_web_fetch.go web_fetch url 特権昇格] |
|---|
| ポイント | 20 |
|---|