PT-2026-25102 · Npm · Openclaw

Publicado

2026-03-03

·

Atualizado

2026-03-03

CVSS v4.0

6.9

Média

VetorAV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Vulnerability

The hook authentication throttle keyed failed attempts by raw socket remoteAddress text.
IPv4 and IPv4-mapped IPv6 forms of the same client (for example 1.2.3.4 and ::ffff:1.2.3.4) were treated as different clients, allowing separate rate-limit buckets.

Impact

An attacker could split failed hook-auth attempts across both address forms and effectively double the brute-force budget from 20 to 40 attempts per 60-second window.

Affected Components

  • src/gateway/server-http.ts
  • src/gateway/auth-rate-limit.ts

Affected Packages / Versions

  • Package: openclaw (npm)
  • Vulnerable versions: <= 2026.2.21-2
  • Patched version (planned next release): 2026.2.22

Remediation

Centralize and reuse canonical client-IP normalization for auth rate-limiting, and use that canonical key for hook auth throttling.

Fix Commit(s)

  • 3284d2eb227e7b6536d543bcf5c3e320bc9d13c5

Release Process Note

patched versions is pre-set to the planned next release (2026.2.22) so once npm release 2026.2.22 is published, this advisory can be published directly.
OpenClaw thanks @aether-ai-agent for reporting.

Correção

Allocation of Resources Without Limits

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-770

Identificadores relacionados

GHSA-5847-RM3G-23MW

Produtos afetados

Openclaw