Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 6acabbb4bccc · 2026-03-04T19:04:58.000Z
GHSA-4rqq-w8v4-7p47 GHSA-9mph-4f7v-fmvh
diff --git a/advisories/github-reviewed/2026/03/GHSA-4rqq-w8v4-7p47/GHSA-4rqq-w8v4-7p47.json b/advisories/github-reviewed/2026/03/GHSA-4rqq-w8v4-7p47/GHSA-4rqq-w8v4-7p47.json
@@ -0,0 +1,71 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-4rqq-w8v4-7p47",
+  "modified": "2026-03-04T19:03:45Z",
+  "published": "2026-03-04T19:03:45Z",
+  "aliases": [],
+  "summary": "OpenClaw has incomplete IPv4 special-use SSRF blocking in web fetch guard",
+  "details": "### Summary\n`isPrivateIpv4()` in bundled SSRF guard code missed several IPv4 special-use/non-global ranges, so `web_fetch` could allow targets that should be blocked by SSRF policy.\n\n### Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published affected version: `2026.2.21-2` (published 2026-02-21)\n- Structured vulnerable range: `<= 2026.2.21-2`\n- Planned patched version (pre-set): `>= 2026.2.22`\n\n### Impact\nLow severity. Exploitation requires network reachability to the relevant special-use ranges and a request path that reaches `web_fetch` URL fetching.\n\n### Technical Details\nAffected releases used narrow IPv4 private-range checks that omitted multiple RFC special-use/non-global ranges. This allowed requests such as `http://198.18.0.1/...` through SSRF validation in affected releases. Follow-up hardening consolidates local-host/tailnet range checks so gateway/browser/tailnet paths share one canonical IP classification flow.\n\n### Fix Commit(s)\n- `71bd15bb4294d3d1b54386064d69cd0f5f731bd8`\n- `44dfbd23df453e51b71ef79a148c28c53e89168c`\n- `333fbb86347998526dd514290adfd5f727caa6d9`\n- `f14ebd743cfc73f667fae80af70043d0ab1f88bd`\n\nOpenClaw thanks @princeeismond-dot for reporting.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "openclaw"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2026.2.22"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-4rqq-w8v4-7p47"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/commit/333fbb86347998526dd514290adfd5f727caa6d9"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/commit/44dfbd23df453e51b71ef79a148c28c53e89168c"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/commit/71bd15bb4294d3d1b54386064d69cd0f5f731bd8"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/commit/f14ebd743cfc73f667fae80af70043d0ab1f88bd"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/openclaw/openclaw"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-918"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-04T19:03:45Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/03/GHSA-9mph-4f7v-fmvh/GHSA-9mph-4f7v-fmvh.json b/advisories/github-reviewed/2026/03/GHSA-9mph-4f7v-fmvh/GHSA-9mph-4f7v-fmvh.json
@@ -0,0 +1,59 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-9mph-4f7v-fmvh",
+  "modified": "2026-03-04T19:02:59Z",
+  "published": "2026-03-04T19:02:59Z",
+  "aliases": [],
+  "summary": "OpenClaw has agent avatar symlink traversal in gateway session metadata",
+  "details": "## Summary\nA crafted local avatar path could follow a symlink outside the agent workspace and return arbitrary file contents as a base64 `data:` URL in gateway responses.\n\n## Impact\n- Confidentiality impact: local file read in the gateway process context.\n- Exfiltration path: `agents.list` can return the resulting `avatarUrl` payload.\n\n## Affected Components\n- `src/gateway/session-utils.ts` (`resolveIdentityAvatarUrl`)\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Introduced: `v2026.1.21`\n- Affected published versions: `<= 2026.2.21-2`\n- Planned patched version: `2026.2.22`\n\n## Remediation\n- Resolve workspace and avatar paths with `realpath` and enforce realpath containment.\n- Open files with `O_NOFOLLOW` when available.\n- Compare pre-open and opened file identity (`dev`/`ino`) to block swap races.\n- Add regression tests for outside-workspace symlink rejection and in-workspace symlink allowance.\n\n## Fix Commit(s)\n- `3d0337504349954237d09e4d957df5cb844d5e77`\n\nOpenClaw thanks @aether-ai-agent for reporting.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "openclaw"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2026.2.22"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-9mph-4f7v-fmvh"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/commit/3d0337504349954237d09e4d957df5cb844d5e77"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/openclaw/openclaw"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-59"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-04T19:02:59Z",
+    "nvd_published_at": null
+  }
+}
