PT-2026-25116 · Npm · Openclaw
Published
2026-03-02
·
Updated
2026-03-02
CVSS v4.0
6.9
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N |
Summary
extensions/feishu/src/bot.ts constructed new RegExp() directly from Feishu mention metadata (mention.name, mention.key) in stripBotMention() without escaping regex metacharacters.Affected Packages / Versions
- Package: npm
openclaw - Affected versions:
<= 2026.2.17 - First affected release:
2026.2.6 - Patched version:
2026.2.19
Impact
- ReDoS: crafted nested-quantifier patterns in mention metadata can trigger catastrophic backtracking and block message processing.
- Regex injection: metacharacters in mention metadata can remove unintended message content before it is sent to the model.
Fix Commit(s)
7e67ab75cc2f0e93569d12fecd1411c2961fcc8c74268489137510b6f6349919d1e197b17290d92c
Thanks @allsmog for reporting.
Fix
DoS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Openclaw