GHSA-h97f-6pqj-q452

Source

https://github.com/advisories/GHSA-h97f-6pqj-q452

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-h97f-6pqj-q452/GHSA-h97f-6pqj-q452.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-h97f-6pqj-q452

Downstream

MINI-v3pm-w274-2g6g

Published

2026-03-03T21:48:55Z

Modified

2026-03-04T15:15:11.125567Z

Severity

6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N CVSS Calculator

Summary

OpenClaw has a IPv6 multicast SSRF classifier bypass

Details

Summary

OpenClaw's SSRF IP classifier did not treat IPv6 multicast literals (ff00::/8) as blocked/private-internal. This allowed literal multicast hosts to pass SSRF preflight checks.

Impact

A bypass in address classification existed for IPv6 multicast literals. OpenClaw's network fetch/navigation paths are constrained to HTTP/HTTPS and this was triaged as low-severity defense-in-depth hardening.

Affected Packages / Versions

Package: openclaw (npm)
Affected versions: <= 2026.2.24
Patched versions: >= 2026.2.25

Technical Details

The IPv6 private/internal range set omitted multicast, so addresses like ff02::1 and ff05::1:3 were not classified as blocked by the shared SSRF classifier.

Fix Commit(s)

baf656bc6fd7f83b6033e6dbc2548ec75028641f

Release Process Note

patched_versions is pre-set to the planned next npm release (2026.2.25). Once that release is published on npm, the advisory is published.

OpenClaw thanks @zpbrent for reporting.

Database specific

{
    "github_reviewed": true,
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-918"
    ],
    "nvd_published_at": null,
    "github_reviewed_at": "2026-03-03T21:48:55Z"
}

References

Affected packages

npm / openclaw

Package

Name: openclaw; View open source insights on deps.dev
Purl: pkg:npm/openclaw

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2026.2.25

Database specific

last_known_affected_version_range

"<= 2026.2.24"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-h97f-6pqj-q452/GHSA-h97f-6pqj-q452.json"