nextlevelbuilder GoClaw
- <= 3.15.0-beta.32
A server-side request forgery (SSRF) vulnerability has been identified in nextlevelbuilder GoClaw versions through 3.15.0-beta.32. The issue arises in the web_fetch component, specifically within the CheckSSRF/isPrivateIP function of the file internal/tools/web_shared.go. This vulnerability allows authenticated users with at least operator privileges to bypass SSRF protections and make requests to internal or special-use IP ranges that should be blocked. The flaw has been publicly disclosed and exploited, but it has been patched in version 3.15.0-beta.33.
Exploitation of this vulnerability bypasses SSRF protections, allowing authenticated users to direct the GoClaw server to make outbound requests to blocked IP ranges. This could be used to probe network services, access internal resources, or attack downstream services from the GoClaw deployment.
To reproduce this vulnerability, upload the verification script 'poc_min_verify.py' to a server with GoClaw v3.15.0-beta.32. This script will bind a canary listener on '198.18.0.1', a special-use IP that should be blocked by the SSRF protection. Then, send a 'POST' request to the GoClaw server's 'tools/invoke' endpoint, using the 'web_fetch' tool to request the canary listener. The server will successfully fetch the canary response, demonstrating the SSRF bypass. In contrast, a control request to '127.0.0.1' will be correctly blocked, highlighting the vulnerability.
Users are advised to upgrade to GoClaw version 3.15.0-beta.33, where this vulnerability has been patched.
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.