PT-2026-25116 · Npm · Openclaw

Publicado

2026-03-02

·

Atualizado

2026-03-02

CVSS v4.0

6.9

Média

VetorAV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Summary

extensions/feishu/src/bot.ts constructed new RegExp() directly from Feishu mention metadata (mention.name, mention.key) in stripBotMention() without escaping regex metacharacters.

Affected Packages / Versions

  • Package: npm openclaw
  • Affected versions: <= 2026.2.17
  • First affected release: 2026.2.6
  • Patched version: 2026.2.19

Impact

  • ReDoS: crafted nested-quantifier patterns in mention metadata can trigger catastrophic backtracking and block message processing.
  • Regex injection: metacharacters in mention metadata can remove unintended message content before it is sent to the model.

Fix Commit(s)

  • 7e67ab75cc2f0e93569d12fecd1411c2961fcc8c
  • 74268489137510b6f6349919d1e197b17290d92c
Thanks @allsmog for reporting.

Correção

DoS

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-1333

Identificadores relacionados

GHSA-C6HR-W26Q-C636

Produtos afetados

Openclaw