PT-2026-25131 — Allocation of Resources Without Limits em Npm Openclaw

PT-2026-25131 · Npm · Openclaw

Publicado

2026-03-02

Atualizado

2026-03-02

CVSS v4.0

8.7

Alta

Vetor

AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Summary

OpenClaw did not consistently enforce configured inbound media byte limits before buffering remote media in several channel ingestion paths. A remote sender could trigger oversized downloads and memory pressure before rejection.

Affected Packages / Versions

Package: openclaw (npm)
Affected versions: <= 2026.2.21-2 (latest published at triage time)
Fixed in: 2026.2.22 (planned next release)

Impact

An attacker could cause elevated memory usage and potential process instability (denial of service) by sending oversized media payloads.

Fix Commit(s)

73d93dee64127a26f1acd09d0403b794cdeb4f5c

Release Process Note

patched versions is pre-set to the planned next release (2026.2.22). After that npm release is published, this advisory can be published without further version-field edits.

OpenClaw thanks @tdjackey for reporting.

Correção

Allocation of Resources Without Limits

Resource Exhaustion

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-770CWE-400

Identificadores relacionados

GHSA-RXXP-482V-7MRH

Produtos afetados

Openclaw