PT-2026-25131 · Npm · Openclaw
Published
2026-03-02
·
Updated
2026-03-02
CVSS v4.0
8.7
High
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
Summary
OpenClaw did not consistently enforce configured inbound media byte limits before buffering remote media in several channel ingestion paths. A remote sender could trigger oversized downloads and memory pressure before rejection.
Affected Packages / Versions
- Package:
openclaw(npm) - Affected versions:
<= 2026.2.21-2(latest published at triage time) - Fixed in:
2026.2.22(planned next release)
Impact
An attacker could cause elevated memory usage and potential process instability (denial of service) by sending oversized media payloads.
Fix Commit(s)
73d93dee64127a26f1acd09d0403b794cdeb4f5c
Release Process Note
patched versions is pre-set to the planned next release (2026.2.22). After that npm release is published, this advisory can be published without further version-field edits.OpenClaw thanks @tdjackey for reporting.
Fix
Resource Exhaustion
Allocation of Resources Without Limits
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Openclaw