GHSA-8cp7-rp8r-mg77
OpenClaw has SSRF guard bypass via IPv6 transition over ISATAP
Blast Radius
Weekly download volume for affected packages — a proxy for how broadly this vulnerability is deployed.
openclawnpmDescription
Summary
OpenClaw's SSRF hostname/IP guard did not detect ISATAP embedded IPv4 addresses (...:5efe:w.x.y.z). A crafted URL containing an ISATAP IPv6 literal could embed a private IPv4 target (for example loopback) and bypass private-address filtering in URL-fetching paths.
Severity Assessment
Rated medium: the bug weakens SSRF protections in URL fetch flows, but impact depends on reaching a URL-fetching path with attacker-controlled input and is generally constrained to internal network access attempts.
Affected Packages / Versions
- Package:
openclaw(npm) - Affected:
>=2026.1.20 <=2026.2.17 - Latest published at patch time:
2026.2.17 - Patched release:
2026.2.19
Security Policy Context
Per SECURITY.md, OpenClaw's web/gateway surface is intended for local use by default, public internet exposure is out-of-scope, and prompt-injection reports are out-of-scope for bounty handling. This advisory tracks a core SSRF-guard bypass in fetch protections.
Impact
This can permit SSRF-style access attempts to internal/private network targets through URL ingestion/fetch paths that rely on shared hostname/IP blocking.
Fix
- Added RFC 5214 ISATAP embedded-IPv4 detection to the shared SSRF classifier.
- Centralized hostname/IP blocking through
isBlockedHostnameOrIpand routed relevant validators to that shared path. - Added regression tests for ISATAP private vs public embedded IPv4 handling.
Fix Commit(s)
d51929ecb52fe65e90bf36795f4247feb29eb8aa
OpenClaw thanks @zpbrent for reporting.
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 📦npm | openclaw | ≥ 2026.1.20&&< 2026.2.19 | 2026.2.19 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for openclaw. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update openclaw to 2026.2.19 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-8cp7-rp8r-mg77 is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-8cp7-rp8r-mg77 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-8cp7-rp8r-mg77. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-8cp7-rp8r-mg77 in your dependencies?
O3 detects GHSA-8cp7-rp8r-mg77 across npm dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.