Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:L
Lifecycle Timeline
3DescriptionGitHub Advisory
JunoClaw is an agentic AI platform built on Juno Network. Prior to 0.x.y-security-1, the WAVS bridge's computeDataVerify called fetch() on agent-supplied URLs without validating scheme, port, or resolved IP, resulting in an SSRF vulnerability. This vulnerability is fixed in 0.x.y-security-1.
AnalysisAI
Server-Side Request Forgery in JunoClaw's WAVS bridge allows remote attackers to exploit the computeDataVerify function, which fetched agent-supplied URLs without validating scheme, port, or resolved IP addresses. Attackers can trick the bridge into accessing internal cloud metadata services (AWS, GCP), RFC 1918 private networks, databases, and admin APIs running on non-standard ports. Exploitation requires user interaction (UI:R) but no authentication (PR:N), with cross-scope impact (S:C) allowing high confidentiality breach and low availability impact. Fixed in version 0.x.y-security-1 via commit a168608, which implements a comprehensive SSRF guard with scheme/port allowlists, DNS private-IP blocking for both IPv4 and IPv6 ranges, request timeouts, and body size caps. No CISA KEV listing or public exploit code identified at time of analysis.
Technical ContextAI
JunoClaw is an agentic AI platform built on Juno Network (Cosmos SDK blockchain). The vulnerable computeDataVerify function in the WAVS bridge component performs on-chain event verification by fetching arbitrary URLs submitted by AI agents to validate external data sources. The bridge runs with operator credentials and network access, making it a high-value SSRF target. CWE-918 (Server-Side Request Forgery) occurs when applications fetch remote resources based on user-controlled input without validating the destination. The commit diff shows the vulnerability existed in bridge/src/local-compute.ts where fetch(url) was called directly on agent-supplied URLs. The fix introduces safeFetch() from utils/ssrf-guard.ts, which performs multi-layered validation: scheme allowlist (http/https only, blocking file://, ftp://, gopher://), port allowlist (80/443 by default, blocking database ports 6379/5432, Cosmos RPC 26657, SSH 22), DNS resolution followed by private IP blocking against IPv4 ranges (10/8, 172.16/12, 192.168/16, 127/8, 169.254/16, 100.64/10, multicast, TEST-NET) and IPv6 ranges (::1, fc00::/7, fe80::/10, ff00::/8, plus IPv4-mapped forms), 5-second timeout via AbortController, and 1 MiB body cap with mid-stream abort. The fix also applies defense-in-depth to the computeDrandRandomness function fetching drand.love public randomness API, preventing DNS hijacks from routing requests to private IPs. CPE cpe:2.3:a:dragonmonk111:junoclaw:*:*:*:*:*:*:*:* indicates all versions prior to 0.x.y-security-1 are affected.
RemediationAI
Upgrade to JunoClaw version 0.x.y-security-1 or later from https://github.com/Dragonmonk111/junoclaw/releases/tag/v0.x.y-security-1, which includes commit a168608 implementing the SSRF guard. The patch replaces direct fetch() calls with safeFetch() from bridge/src/utils/ssrf-guard.ts, enforcing scheme allowlist (http/https only), port allowlist (80/443 by default), DNS-based private IP blocking for all IPv4 and IPv6 reserved ranges, 5-second request timeout, and 1 MiB response body cap. Operators can customize defenses via environment variables: JUNOCLAW_SSRF_ALLOWED_SCHEMES (default http,https), JUNOCLAW_SSRF_ALLOWED_PORTS (default 80,443), JUNOCLAW_SSRF_TIMEOUT_MS (default 5000), JUNOCLAW_SSRF_MAX_BYTES (default 1048576). Run npm run ssrf-guard-test from the bridge/ directory to verify the patch with regression tests covering AWS/GCP metadata endpoints, RFC 1918 ranges, IPv6 literals, and DNS rebinding scenarios. If upgrading is not immediately feasible, implement network-level controls: deploy the bridge in a restrictive security group or firewall that blocks outbound access to private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.0/8, 169.254.0.0/16, cloud metadata endpoints 169.254.169.254 and metadata.google.internal), database ports (6379, 5432), blockchain RPC ports (26657), and non-HTTP(S) protocols, though this approach cannot prevent application-layer bypasses and adds operational complexity. Advisory available at https://github.com/Dragonmonk111/junoclaw/security/advisories/GHSA-q545-mvjf-q9pg.
JunoClaw agentic AI platform exposes BIP-39 wallet mnemonics in plaintext through LLM tool-call parameters, leaking cryp
Arbitrary file read in JunoClaw's MCP upload_wasm tool allows local attackers to exfiltrate any file accessible to the a
Command injection in JunoClaw's plugin-shell allowed adversarial argument construction to bypass the substring-based blo
Command injection in JunoClaw agentic AI platform versions prior to 0.x.y-security-1 allows local attackers to execute a
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29542