PT-2026-25102 — Allocation of Resources Without Limits in Npm Openclaw

PT-2026-25102 · Npm · Openclaw

Published

2026-03-03

Updated

2026-03-03

CVSS v4.0

6.9

Medium

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Vulnerability

The hook authentication throttle keyed failed attempts by raw socket remoteAddress text.

IPv4 and IPv4-mapped IPv6 forms of the same client (for example 1.2.3.4 and ::ffff:1.2.3.4) were treated as different clients, allowing separate rate-limit buckets.

Impact

An attacker could split failed hook-auth attempts across both address forms and effectively double the brute-force budget from 20 to 40 attempts per 60-second window.

Affected Components

src/gateway/server-http.ts
src/gateway/auth-rate-limit.ts

Affected Packages / Versions

Package: openclaw (npm)
Vulnerable versions: <= 2026.2.21-2
Patched version (planned next release): 2026.2.22

Remediation

Centralize and reuse canonical client-IP normalization for auth rate-limiting, and use that canonical key for hook auth throttling.

Fix Commit(s)

3284d2eb227e7b6536d543bcf5c3e320bc9d13c5

Release Process Note

patched versions is pre-set to the planned next release (2026.2.22) so once npm release 2026.2.22 is published, this advisory can be published directly.

OpenClaw thanks @aether-ai-agent for reporting.

Fix

Allocation of Resources Without Limits

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-770

Related Identifiers

GHSA-5847-RM3G-23MW

Affected Products

Openclaw