PT-2026-31355 · Npm · Openclaw
Publicado
2026-03-29
·
Atualizado
2026-03-29
CVSS v4.0
6.9
Média
| Vetor | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N |
Summary
Feishu webhook reads and parses unauthenticated request bodies before signature validation
Affected Packages / Versions
- Package:
openclaw - Affected versions:
<= 2026.3.24 - First patched version:
2026.3.25 - Latest published npm version at verification time:
2026.3.24
Details
Feishu webhook handling previously parsed JSON before signature validation, which let unauthenticated callers force full JSON parsing work before rejection. Commit
5e8cb22176e9235e224be0bc530699261eb60e53 reads the raw request body, validates the signature first, and only then parses JSON.Verified vulnerable on tag
v2026.3.24 and fixed on main by commit 5e8cb22176e9235e224be0bc530699261eb60e53.Fix Commit(s)
5e8cb22176e9235e224be0bc530699261eb60e53
Correção
Resource Exhaustion
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Openclaw