PT-2026-25490 — OS Command Injection em Npm Openclaw

PT-2026-25490 · Npm · Openclaw

Publicado

2026-03-03

Atualizado

2026-03-03

CVSS v3.1

6.4

Média

Vetor

AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

When sort is explicitly added to tools.exec.safeBins (non-default), the --compress-program option can invoke an external helper and bypass the intended safe-bin approval constraints in allowlist mode.

Affected Packages / Versions

Package: openclaw (npm)
Vulnerable versions: <=2026.2.21-2
Latest published npm version checked during triage: 2026.2.21-2 (as of February 22, 2026)
Patched in planned next release: 2026.2.22

Fix Commit(s)

57fbbaebca4d34d17549accf6092ae26eb7b605c

Release Process Note

patched versions is pre-set to the planned next release (>=2026.2.22). Once that npm release is published, the advisory can be published directly.

OpenClaw thanks @tdjackey for reporting.

Correção

OS Command Injection

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-78CWE-15

Identificadores relacionados

GHSA-VMQR-RC7X-3446

Produtos afetados

Openclaw