While the community focused on general configuration risks, ZAST verified the actual code.
Our engine autonomously identified a high-severity SSRF vulnerability exploitable via DNS Rebinding. The flaw was a classic TOCTOU (Time-of-Check to Time-of-Use) gap, allowing attackers to bypass validation and access internal networks.
The Resolution: Our Co-founder Chris Zheng reported this to the maintainer (@steipete), who acknowledged the issue and pushed a fix immediately.
The project has now implemented DNS Pinning to eliminate the vector. We are proud to be credited in the changelog for securing the ecosystem.
View the official fix: https://github.com/clawdbot/clawdbot/commit/b623557a2ec7e271bda003eb3ac33fbb2e218505
Top comments (0)