PT-2026-25499 · Npm · Openclaw
Publicado
2026-03-03
·
Atualizado
2026-03-03
CVSS v3.1
7.5
Alta
| Vetor | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Impact
OpenClaw webhook handlers for BlueBubbles and Google Chat accepted and parsed request bodies before authentication and signature checks on vulnerable releases. This allowed unauthenticated clients to hold parser work open with slow/oversized request bodies and degrade availability (slow-request DoS).
Affected Packages / Versions
- Package:
openclaw(npm) - Affected releases:
<= 2026.3.1 - Latest published vulnerable version at triage time:
2026.3.1(npm) - Fixed release:
2026.3.2(released)
Fix Commit(s)
d3e8b17aa6432536806b4853edc7939d891d0f25
Mitigation
Upgrade to
2026.3.2 (or newer). The fix enforces auth-before-body for affected webhook paths, adds strict pre-auth body/time budgets, and introduces shared in-flight/request guardrails with regression coverage.Correção
Resource Exhaustion
Allocation of Resources Without Limits
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Openclaw