PT-2026-25502 · Npm · Openclaw
Publicado
2026-03-03
·
Atualizado
2026-03-03
CVSS v4.0
7.8
Alta
| Vetor | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N |
Summary
A sandbox path validation bypass in
openclaw allows host file reads outside sandboxRoot via the media path fallback tmp flow when the fallback tmp root is a symlink alias.Affected Packages / Versions
- Package:
npm openclaw - Affected versions:
<= 2026.2.24 - Latest published npm version at triage time (February 26, 2026):
2026.2.24 - Patched version :
2026.2.25
Details
When
/tmp/openclaw is unavailable or unsafe, resolvePreferredOpenClawTmpDir() in src/infra/tmp-openclaw-dir.ts fell back to os.tmpdir()/openclaw-<uid> without verifying that fallback path was a trusted non-symlink directory.resolveSandboxedMediaSource() (src/agents/sandbox-paths.ts) allows absolute tmp media paths under the OpenClaw tmp root using lexical containment and alias checks. If the fallback tmp root is a symlink alias (for example to /), inputs like $TMPDIR/openclaw-<uid>/etc/passwd can pass validation and resolve to host files outside sandboxRoot.Impact
This can break sandbox media path confinement and permit unauthorized host file reads (confidentiality impact).
Reproduction (high level)
- Force resolver fallback (make
/tmp/openclawunavailable/invalid). - Make fallback root (
$TMPDIR/openclaw-<uid>) a symlink alias to/. - Submit media path under fallback root (for example
$TMPDIR/openclaw-<uid>/etc/passwd). - Observe accepted path and read outside
sandboxRoot.
Fix Commit(s)
496a76c03ba85e15ea715e5a583e498ae04d36e3
Release Process Note
Patched version is pre-set to release
2026.2.25; once npm publish for 2026.2.25 is complete, this advisory can be published without further metadata edits.OpenClaw thanks @tdjackey for reporting.
Correção
Path traversal
Link Following
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Openclaw