GHSA-h97f-6pqj-q452: OpenClaw has a IPv6 multicast SSRF classifier bypass

March 3, 2026

OpenClaw’s SSRF IP classifier did not treat IPv6 multicast literals (ff00::/8) as blocked/private-internal. This allowed literal multicast hosts to pass SSRF preflight checks.

References

github.com/advisories/GHSA-h97f-6pqj-q452
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/baf656bc6fd7f83b6033e6dbc2548ec75028641f
github.com/openclaw/openclaw/security/advisories/GHSA-h97f-6pqj-q452

Code Behaviors & Features

Detect and mitigate GHSA-h97f-6pqj-q452 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →