fix(security): block SSRF IPv6 transition bypasses

2026-02-19 18:39:20 -05:00 · 2026-02-18 04:52:44 +01:00
parent 50e5553533
commit 442fdbf3d8
3 changed files with 73 additions and 8 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -82,6 +82,7 @@ Docs: https://docs.openclaw.ai
 - BlueBubbles: include sender identifier in untrusted conversation metadata for conversation info payloads. Thanks @tyler6204.
 - Security/Exec: fix the OC-09 credential-theft path via environment-variable injection. (#18048) Thanks @aether-ai-agent.
 - Security/Config: confine `$include` resolution to the top-level config directory, harden traversal/symlink checks with cross-platform-safe path containment, and add doctor hints for invalid escaped include paths. (#18652) Thanks @aether-ai-agent.
+- Security/Net: block SSRF bypass via NAT64 (`64:ff9b::/96`, `64:ff9b:1::/48`), 6to4 (`2002::/16`), and Teredo (`2001:0000::/32`) IPv6 transition addresses, and fail closed on IPv6 parse errors. Thanks @jackhax.
 - Providers: improve error messaging for unconfigured local `ollama`/`vllm` providers. (#18183) Thanks @arosstale.
 - TTS: surface all provider errors instead of only the last error in aggregated failures. (#17964) Thanks @ikari-pl.
 - CLI/Doctor/Configure: skip gateway auth checks for loopback-only setups. (#18407) Thanks @sggolakiya.
--- a/src/infra/net/ssrf.test.ts
+++ b/src/infra/net/ssrf.test.ts
@@ -17,6 +17,20 @@ describe("ssrf ip classification", () => {
    expect(isPrivateIpAddress("0:0:0:0:0:ffff:a9fe:a9fe")).toBe(true);
  });

+  it("treats private IPv4 embedded in NAT64 prefixes as private", () => {
+    expect(isPrivateIpAddress("64:ff9b::127.0.0.1")).toBe(true);
+    expect(isPrivateIpAddress("64:ff9b::169.254.169.254")).toBe(true);
+    expect(isPrivateIpAddress("64:ff9b:1::192.168.1.1")).toBe(true);
+    expect(isPrivateIpAddress("64:ff9b:1::10.0.0.1")).toBe(true);
+  });
+
+  it("treats private IPv4 embedded in 6to4 and Teredo prefixes as private", () => {
+    expect(isPrivateIpAddress("2002:7f00:0001::")).toBe(true);
+    expect(isPrivateIpAddress("2002:a9fe:a9fe::")).toBe(true);
+    expect(isPrivateIpAddress("2001:0000:0:0:0:0:80ff:fefe")).toBe(true);
+    expect(isPrivateIpAddress("2001:0000:0:0:0:0:3f57:fefe")).toBe(true);
+  });
+
  it("treats common IPv6 private/internal ranges as private", () => {
    expect(isPrivateIpAddress("::")).toBe(true);
    expect(isPrivateIpAddress("::1")).toBe(true);
@@ -29,6 +43,15 @@ describe("ssrf ip classification", () => {
    expect(isPrivateIpAddress("93.184.216.34")).toBe(false);
    expect(isPrivateIpAddress("2606:4700:4700::1111")).toBe(false);
    expect(isPrivateIpAddress("2001:db8::1")).toBe(false);
+    expect(isPrivateIpAddress("64:ff9b::8.8.8.8")).toBe(false);
+    expect(isPrivateIpAddress("64:ff9b:1::8.8.8.8")).toBe(false);
+    expect(isPrivateIpAddress("2002:0808:0808::")).toBe(false);
+    expect(isPrivateIpAddress("2001:0000:0:0:0:0:f7f7:f7f7")).toBe(false);
+  });
+
+  it("fails closed for malformed IPv6 input", () => {
+    expect(isPrivateIpAddress("::::")).toBe(true);
+    expect(isPrivateIpAddress("2001:db8::gggg")).toBe(true);
  });
 });

--- a/src/infra/net/ssrf.ts
+++ b/src/infra/net/ssrf.ts
@@ -146,15 +146,55 @@ function extractIpv4FromEmbeddedIpv6(hextets: number[]): number[] | null {
  // IPv4-mapped: ::ffff:a.b.c.d (and full-form variants)
  // IPv4-compatible: ::a.b.c.d (deprecated, but still needs private-network blocking)
  const zeroPrefix = hextets[0] === 0 && hextets[1] === 0 && hextets[2] === 0 && hextets[3] === 0;
-  if (!zeroPrefix || hextets[4] !== 0) {
-    return null;
+  if (zeroPrefix && hextets[4] === 0 && (hextets[5] === 0xffff || hextets[5] === 0)) {
+    const high = hextets[6];
+    const low = hextets[7];
+    return [(high >>> 8) & 0xff, high & 0xff, (low >>> 8) & 0xff, low & 0xff];
  }
-  if (hextets[5] !== 0xffff && hextets[5] !== 0) {
-    return null;
+
+  // NAT64 well-known prefix: 64:ff9b::/96
+  if (
+    hextets[0] === 0x0064 &&
+    hextets[1] === 0xff9b &&
+    hextets[2] === 0 &&
+    hextets[3] === 0 &&
+    hextets[4] === 0 &&
+    hextets[5] === 0
+  ) {
+    const high = hextets[6];
+    const low = hextets[7];
+    return [(high >>> 8) & 0xff, high & 0xff, (low >>> 8) & 0xff, low & 0xff];
  }
-  const high = hextets[6];
-  const low = hextets[7];
-  return [(high >>> 8) & 0xff, high & 0xff, (low >>> 8) & 0xff, low & 0xff];
+
+  // NAT64 local-use prefix: 64:ff9b:1::/48 (common ::x.x.x.x form)
+  if (
+    hextets[0] === 0x0064 &&
+    hextets[1] === 0xff9b &&
+    hextets[2] === 0x0001 &&
+    hextets[3] === 0 &&
+    hextets[4] === 0 &&
+    hextets[5] === 0
+  ) {
+    const high = hextets[6];
+    const low = hextets[7];
+    return [(high >>> 8) & 0xff, high & 0xff, (low >>> 8) & 0xff, low & 0xff];
+  }
+
+  // 6to4 prefix: 2002::/16 where hextets[1..2] carry the IPv4 address.
+  if (hextets[0] === 0x2002) {
+    const high = hextets[1];
+    const low = hextets[2];
+    return [(high >>> 8) & 0xff, high & 0xff, (low >>> 8) & 0xff, low & 0xff];
+  }
+
+  // Teredo prefix: 2001:0000::/32 where client IPv4 is obfuscated via XOR 0xffff.
+  if (hextets[0] === 0x2001 && hextets[1] === 0x0000) {
+    const high = hextets[6] ^ 0xffff;
+    const low = hextets[7] ^ 0xffff;
+    return [(high >>> 8) & 0xff, high & 0xff, (low >>> 8) & 0xff, low & 0xff];
+  }
+
+  return null;
 }

 function isPrivateIpv4(parts: number[]): boolean {
@@ -195,7 +235,8 @@ export function isPrivateIpAddress(address: string): boolean {
  if (normalized.includes(":")) {
    const hextets = parseIpv6Hextets(normalized);
    if (!hextets) {
-      return false;
+      // Security-critical parse failures should fail closed.
+      return true;
    }

    const isUnspecified =