nextlevelbuilder GoClaw Server-Side Request Forgery Vulnerability

Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in nextlevelbuilder GoClaw versions through 3.15.0-beta.32. The issue arises in the web_fetch component, specifically within the CheckSSRF/isPrivateIP function of the file internal/tools/web_shared.go. This vulnerability allows authenticated users with at least operator privileges to bypass SSRF protections and make requests to internal or special-use IP ranges that should be blocked. The flaw has been publicly disclosed and exploited, but it has been patched in version 3.15.0-beta.33.

Impact

Exploitation of this vulnerability bypasses SSRF protections, allowing authenticated users to direct the GoClaw server to make outbound requests to blocked IP ranges. This could be used to probe network services, access internal resources, or attack downstream services from the GoClaw deployment.

Reproduction

To reproduce this vulnerability, upload the verification script 'poc_min_verify.py' to a server with GoClaw v3.15.0-beta.32. This script will bind a canary listener on '198.18.0.1', a special-use IP that should be blocked by the SSRF protection. Then, send a 'POST' request to the GoClaw server's 'tools/invoke' endpoint, using the 'web_fetch' tool to request the canary listener. The server will successfully fetch the canary response, demonstrating the SSRF bypass. In contrast, a control request to '127.0.0.1' will be correctly blocked, highlighting the vulnerability.

Remediation

Users are advised to upgrade to GoClaw version 3.15.0-beta.33, where this vulnerability has been patched.

Added: Jul 18, 2026, 4:28 PM
Updated: Jul 18, 2026, 4:28 PM

Vulnerability Rating

Custom Algorithm
spread
0.0
impact
0.6
exploitability
6.0
remediation
0.0
relevance
10.0
threat
6.4
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.