PT-2026-25126 · Npm · @Openclaw/Voice-Call+1

Publicado

2026-03-02

·

Atualizado

2026-03-02

CVSS v4.0

8.7

Alta

VetorAV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Summary

@openclaw/voice-call (and the bundled copy shipped in openclaw) accepted media-stream WebSocket upgrades before stream validation. In reachable deployments, unauthenticated pre-start sockets could be held open and increase resource pressure.

Affected Packages / Versions

  • openclaw (npm): vulnerable <= 2026.2.21-2, patched in 2026.2.22.
  • @openclaw/voice-call (npm): vulnerable <= 2026.2.21, patched in 2026.2.22.

Technical Details

Before this fix, the voice-call media-stream path upgraded sockets first and ran shouldAcceptStream() after a later start frame. This created a pre-auth window where remote clients could hold idle sockets without call/token validation.

Impact

Availability risk in deployments where the media-stream endpoint is reachable and streaming is enabled. Under sustained abuse, this could consume connection-related resources and degrade service for legitimate streams.

Remediation

The fix adds layered controls in the media-stream path:
  • strict pre-start timeout (close sockets that do not send a valid start frame quickly)
  • global pending-connection cap
  • per-IP pending-connection cap
  • total open media-stream connection cap
  • safer upgrade-path parsing in the webhook server

Fix Commit(s)

  • 1d8968c8a821ff1a05c294a1846b3bcb6f343794

Release Process Note

patched versions is pre-set to 2026.2.22 so this advisory is ready to publish once npm openclaw@2026.2.22 and @openclaw/voice-call@2026.2.22 are released.
OpenClaw thanks @jiseoung for reporting.

Correção

Allocation of Resources Without Limits

Resource Exhaustion

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-770CWE-400

Identificadores relacionados

GHSA-MFG5-7Q5G-F37J

Produtos afetados

@Openclaw/Voice-Call
Openclaw