nextlevelbuilder GoClaw Server-Side Request Forgery Vulnerability in TTS Configuration Endpoint

A server-side request forgery (SSRF) vulnerability has been identified in nextlevelbuilder GoClaw versions through 3.11.3. The issue resides in the TTS Configuration Endpoint, specifically within the Import function of the file internal/http/tts_config.go. This vulnerability allows authenticated users with administrative privileges to inject malicious API base URLs, which the application backend subsequently contacts without proper validation. As a result, external attackers can exploit this to interact with internal resources, such as private subnets or cloud metadata services.

Impact

Exploitation of this vulnerability allows external attackers to interact with internal network resources, potentially accessing sensitive information or services. In cloud environments, this could include capturing metadata instance IAM tokens, which could be used to gain elevated privileges.

Reproduction

To reproduce this vulnerability, upload a malicious URL pointing to an internal resource through the TTS configuration endpoint. Once the URL is saved, trigger a TTS synthesis request, which will cause the server to contact the injected URL, demonstrating the SSRF vulnerability.

Remediation

Users can update to GoClaw version 3.12.0 or later, where this vulnerability has been patched.