Skip to content

WeKnora has DNS Rebinding Vulnerability in web_fetch Tool that Allows SSRF to Internal Resources

High severity GitHub Reviewed Published Mar 6, 2026 in Tencent/WeKnora • Updated Mar 9, 2026

Package

gomod github.com/Tencent/WeKnora (Go)

Affected versions

<= 0.2.14

Patched versions

0.3.0

Description

Summary

A DNS rebinding vulnerability in the web_fetch tool allows an unauthenticated attacker to bypass URL validation and access internal resources on the server, including private IP addresses (e.g., 127.0.0.1, 192.168.x.x). By crafting a malicious domain that resolves to a public IP during validation and subsequently resolves to a private IP during execution, an attacker can access sensitive local services and potentially exfiltrate data.

Details

The vulnerability exists because the web_fetch tool lacks complete DNS pinning. The application performs URL validation only once via validateParams(), but the URL is then passed unchanged to the fetchHTMLContent() function, which eventually reaches fetchWithChromedp(). The headless browser (Chromedp) resolves the hostname independently without DNS pinning, allowing a time-of-check-time-of-use (TOCTOU) attack.

Validation phase (first DNS resolution):

if err := t.validateParams(p); err != nil {
    // Returns error for private IPs
    results[index] = &webFetchItemResult{
        err: err,
        // ...
    }
    return
}

Execution phase (second DNS resolution):
The original URL (not the resolved IP) is passed through the execution chain:

output, data, err := t.executeFetch(ctx, p)
// Calls fetchHTMLContent(ctx, targetURL) where targetURL is the original hostname

Chromedp execution (vulnerable DNS resolution):

func (t *WebFetchTool) fetchWithChromedp(ctx context.Context, targetURL string) (string, error) {
    // targetURL is not DNS-pinned; browser resolves it independently
    err := chromedp.Run(ctx,
        chromedp.Navigate(targetURL),  // Third DNS lookup occurs here
        chromedp.WaitReady("body", chromedp.ByQuery),
        chromedp.OuterHTML("html", &html),
    )
}

The attacker controls a domain that can be configured to return different DNS responses to different queries, enabling them to bypass the initial private IP check and access restricted resources during the actual fetch.

PoC

Setup:

  1. Deploy the DNS rebinding server (attached Python file) with the following systemd configuration:
[Unit]
Description=DNS Rebinding Test Server
After=network.target

[Service]
Type=simple
User=root
WorkingDirectory=/root/Repos/dns-rebinding-server
ExecStart=/root/.proto/shims/python -u /root/Repos/dns-rebinding-server/server.py --token aleister1102 --domain aleister.ninja --port 53 --global-tracking --ip1 1.1.1.1 --ip2 0.0.0.0 --first-response-count 1 --reset-time 0
Restart=always
RestartSec=3

[Install]
WantedBy=multi-user.target

This configures the DNS server to:

  • Return 1.1.1.1 (a public IP) for the first DNS query
  • Return 127.0.0.1 (localhost) for all subsequent queries
  • TTL is set to 0 to prevent caching

The sequence can also be reset via reset.domain.com (reset to 1.1.1.1).

Note: We may need to reset the sequence as the TOCTOU attack is not truly reliable and needs to be triggered multiple times.

  1. Set up a simple HTTP server on the localhost of the backend service:
python -m http.server 8888
  1. Configure the malicious domain to point to the DNS rebinding server

Execution:

  1. Enable web search on an agent.
  2. Prompt the agent to fetch content from the attacker-controlled domain (e.g., http://attacker.example.com)
  3. The sequence of events:
    • First DNS query (validation phase): attacker.example.com1.1.1.1 ✓ Passes validation
    • Second DNS query (execution phase): attacker.example.com127.0.0.1 ✗ Bypass achieved
    • The web_fetch tool successfully connects to 127.0.0.1:8080 and returns the local server's content

Result:
The attacker gains access to the local HTTP server and can read its content, demonstrating that internal resources are now accessible through the rebinding attack.

image

PoC video:

https://github.com/user-attachments/assets/68daaa87-4b9b-4b6e-b6f6-ee123f5fcda9

Impact

Vulnerability Type: DNS Rebinding / Server-Side Request Forgery (SSRF)

Who is impacted:

  • Any user or agent with web search capability can exploit this vulnerability
  • The vulnerability grants access to internal services, configuration files, metadata services, and other sensitive resources normally restricted to the internal network
  • In cloud environments, this could allow access to metadata endpoints (e.g., AWS IMDSv1) to obtain credentials and secrets\

References

@lyingbug lyingbug published to Tencent/WeKnora Mar 6, 2026
Published to the GitHub Advisory Database Mar 6, 2026
Reviewed Mar 6, 2026
Published by the National Vulnerability Database Mar 7, 2026
Last updated Mar 9, 2026

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS score

Exploit Prediction Scoring System (EPSS)

This score estimates the probability of this vulnerability being exploited within the next 30 days. Data provided by FIRST.
(26th percentile)

Weaknesses

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. Learn more on MITRE.

CVE ID

CVE-2026-30858

GHSA ID

GHSA-h6gw-8f77-mmmp

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.