PT-2026-25440 · Npm · Openclaw
Publicado
2026-03-03
·
Atualizado
2026-03-03
CVSS v4.0
8.6
Alta
| Vetor | AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
Summary
The Lobster extension tool execution path used a Windows shell fallback (
shell: true) after spawn failures (EINVAL/ENOENT). In that fallback path, shell metacharacters in command arguments can be interpreted by the shell, enabling command injection.Affected Packages / Versions
- Package:
openclaw(npm) - Affected versions:
<= 2026.2.17 - Latest confirmed affected published version:
2026.2.17 - Patched version:
2026.2.19
Technical Details
In affected releases (including
v2026.2.17), extensions/lobster/src/lobster-tool.ts retried subprocess launch with shell: true on Windows for EINVAL/ENOENT spawn errors. The fix removes shell fallback and resolves Windows wrappers to explicit executable/script argv execution.Fix Commit(s)
ba7be018da354ea9f803ed356d20464df0437916
OpenClaw thanks @allsmog for reporting.
Correção
OS Command Injection
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Openclaw