PT-2026-22532 · Npm · Openclaw
Publicado
2026-02-19
·
Atualizado
2026-02-19
CVSS v3.1
6.5
Média
| Vetor | AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H |
Summary
The
web fetch tool could be used to crash the OpenClaw Gateway process (OOM / resource exhaustion) by fetching and attempting to parse attacker-controlled web pages with oversized response bodies or pathological HTML nesting.Affected Packages / Versions
- Package:
openclaw(npm) - Affected versions:
<= 2026.2.14 - Fixed versions:
>= 2026.2.15
Impact
An attacker can social-engineer a user (or any automation that uses
web fetch) into fetching a malicious URL that returns extremely large or deeply nested HTML. The Gateway may exhaust memory or become unresponsive, causing a denial of service.Fix
The Gateway now caps the downloaded response body size before any HTML parsing and adds additional guards to avoid running Readability/DOM parsing on pathological HTML.
Fix Commit(s)
- 166cf6a3e04c7df42bea70a7ad5ce2b9df46d147
Release Process Note
This advisory is prepared for the next npm release. Once
openclaw@2026.2.15 is published, publish this advisory without further edits.Thanks @xuemian168 for reporting.
Correção
Resource Exhaustion
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Openclaw