PT-2026-25513 · Npm · Openclaw
Published
2026-03-04
·
Updated
2026-03-04
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
Summary
isPrivateIpv4() in bundled SSRF guard code missed several IPv4 special-use/non-global ranges, so web fetch could allow targets that should be blocked by SSRF policy.Affected Packages / Versions
- Package:
openclaw(npm) - Latest published affected version:
2026.2.21-2(published 2026-02-21) - Structured vulnerable range:
<= 2026.2.21-2 - Planned patched version (pre-set):
>= 2026.2.22
Impact
Low severity. Exploitation requires network reachability to the relevant special-use ranges and a request path that reaches
web fetch URL fetching.Technical Details
Affected releases used narrow IPv4 private-range checks that omitted multiple RFC special-use/non-global ranges. This allowed requests such as
http://198.18.0.1/... through SSRF validation in affected releases. Follow-up hardening consolidates local-host/tailnet range checks so gateway/browser/tailnet paths share one canonical IP classification flow.Fix Commit(s)
71bd15bb4294d3d1b54386064d69cd0f5f731bd844dfbd23df453e51b71ef79a148c28c53e89168c333fbb86347998526dd514290adfd5f727caa6d9f14ebd743cfc73f667fae80af70043d0ab1f88bd
OpenClaw thanks @princeeismond-dot for reporting.
Fix
SSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Openclaw