提交 #855793: mosaxiv clawlet 0.2.10 Server-Side Request Forgery (SSRF) (CWE-918)信息

标题mosaxiv clawlet 0.2.10 Server-Side Request Forgery (SSRF) (CWE-918)
描述# Technical Details An SSRF vulnerability exists in the `(*Registry).webFetch` request path in `tools/tool_web_fetch.go`, using policy logic from `tools/web_fetch_policy.go`, of clawlet. The application fails to classify and block special-use IPv4 literal destinations before issuing outbound requests. Host validation only applies domain-pattern allow/block checks, and the default policy remains permissive, so addresses such as `x.x.x.x` are treated as allowed. # Vulnerable Code File: `tools/tool_web_fetch.go`, `tools/web_fetch_policy.go` Method: `(*Registry).webFetch`, `allowHostByPolicy` Why: `(*Registry).webFetch` normalizes the host and delegates authorization to `allowHostByPolicy`, but that helper only checks wildcard/domain patterns and does not reject benchmark, reserved, loopback, private, or other non-global IPv4 destinations before `http.Client.Do`. # Reproduction 1. Use an affected clawlet checkout with the default or otherwise permissive `web_fetch` policy. 2. Trigger the real `tools.Registry.Execute("web_fetch", ...)` path with the target URL `http://x.x.x.x:18080/internal`. 3. Confirm the request is sent and a canary response is returned, then repeat with `x.x.x.x` added to blocked domains to verify the control case is denied before network access. # Impact - An attacker can use the clawlet host as an SSRF primitive to reach special-use IPv4 HTTP services. - Internal or non-public HTTP content can be fetched and returned through tool output. - Redirect validation inherits the same weakness because it reuses the same incomplete host policy.
来源⚠️ https://github.com/mosaxiv/clawlet/issues/13
用户
 Eric-b (UID 96354)
提交2026-06-11 08時58分 (1 月前)
管理2026-07-13 18時57分 (1 month later)
状态已接受
VulDB条目378122 [mosaxiv clawlet 直到 0.2.10 IPv4 tools/tool_web_fetch.go web_fetch url 权限提升]
积分20

Want to know what is going to be exploited?

We predict KEV entries!