diff --git a/CHANGELOG.md b/CHANGELOG.md index 8f82aa875ee..b55a00e44f2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -17,6 +17,7 @@ Docs: https://docs.openclaw.ai ### Fixes - Agents/Subagents delivery: refactor subagent completion announce dispatch into an explicit queue/direct/fallback state machine, recover outbound channel-plugin resolution in cold/stale plugin-registry states across announce/message/gateway send paths, finalize cleanup bookkeeping when announce flow rejects, and treat Telegram sends without `message_id` as delivery failures (instead of false-success `"unknown"` IDs). (#26867, #25961, #26803, #25069, #26741) Thanks @SmithLabsLLC and @docaohieu2808. +- Security/SSRF guard: classify IPv6 multicast literals (`ff00::/8`) as blocked/private-internal targets in shared SSRF IP checks, preventing multicast literals from bypassing URL-host preflight and DNS answer validation. This ships in the next npm release (`2026.2.25`). Thanks @zpbrent for reporting. - Slack/Session threads: prevent oversized parent-session inheritance from silently bricking new thread sessions, surface embedded context-overflow empty-result failures to users, and add configurable `session.parentForkMaxTokens` (default `100000`, `0` disables). (#26912) Thanks @markshields-tl. - Models/Auth probes: map permanent auth failover reasons (`auth_permanent`, for example revoked keys) into probe auth status instead of `unknown`, so `openclaw models status --probe` reports actionable auth failures. (#25754) thanks @rrenamed. - Security/Signal: enforce DM/group authorization before reaction-only notification enqueue so unauthorized senders can no longer inject Signal reaction system events under `dmPolicy`/`groupPolicy`; reaction notifications now require channel access checks first. This ships in the next npm release (`2026.2.25`). Thanks @tdjackey for reporting. diff --git a/src/infra/net/ssrf.test.ts b/src/infra/net/ssrf.test.ts index 5826669196d..e823b35be31 100644 --- a/src/infra/net/ssrf.test.ts +++ b/src/infra/net/ssrf.test.ts @@ -38,6 +38,9 @@ const privateIpCases = [ "fe80::1%lo0", "fd00::1", "fec0::1", + "ff02::1", + "ff05::1:3", + "[ff02::1]", "2001:db8:1234::5efe:127.0.0.1", "2001:db8:1234:1:200:5efe:7f00:1", ]; diff --git a/src/shared/net/ip.test.ts b/src/shared/net/ip.test.ts index 73d385832f0..a8e4c9bd8e8 100644 --- a/src/shared/net/ip.test.ts +++ b/src/shared/net/ip.test.ts @@ -45,8 +45,10 @@ describe("shared ip helpers", () => { } }); - it("treats deprecated site-local IPv6 as private/internal", () => { + it("treats blocked IPv6 classes as private/internal", () => { expect(isPrivateOrLoopbackIpAddress("fec0::1")).toBe(true); + expect(isPrivateOrLoopbackIpAddress("ff02::1")).toBe(true); + expect(isPrivateOrLoopbackIpAddress("[ff05::1:3]")).toBe(true); expect(isPrivateOrLoopbackIpAddress("2001:4860:4860::8888")).toBe(false); }); }); diff --git a/src/shared/net/ip.ts b/src/shared/net/ip.ts index 2342bdedafe..d1f1c0a9069 100644 --- a/src/shared/net/ip.ts +++ b/src/shared/net/ip.ts @@ -27,6 +27,7 @@ const PRIVATE_OR_LOOPBACK_IPV6_RANGES = new Set([ "loopback", "linkLocal", "uniqueLocal", + "multicast", ]); const RFC2544_BENCHMARK_PREFIX: [ipaddr.IPv4, number] = [ipaddr.IPv4.parse("198.18.0.0"), 15]; export type Ipv4SpecialUseBlockOptions = {