While the community focused on general configuration risks, ZAST verified the actual code.

Our engine autonomously identified a high-severity SSRF vulnerability exploitable via DNS Rebinding. The flaw was a classic TOCTOU (Time-of-Check to Time-of-Use) gap, allowing attackers to bypass validation and access internal networks.

The Resolution: Our Co-founder Chris Zheng reported this to the maintainer (@steipete), who acknowledged the issue and pushed a fix immediately.

The project has now implemented DNS Pinning to eliminate the vector. We are proud to be credited in the changelog for securing the ecosystem.

View the official fix: https://github.com/clawdbot/clawdbot/commit/b623557a2ec7e271bda003eb3ac33fbb2e218505