PT-2026-25435 · Npm · Openclaw
Published
2026-03-03
·
Updated
2026-03-03
CVSS v4.0
7.3
High
| Vector | AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
Vulnerability
Webhook transform modules were validated with lexical path checks only. A symlink under the allowed hooks transform tree could resolve outside the intended directory and be dynamically imported.
Affected Packages / Versions
- Package:
openclaw(npm) - Affected versions:
<= 2026.2.21-2 - Patched version (planned next release):
2026.2.22
Impact
When an attacker can cause a transform module path to reference a symlinked entry that resolves outside the trusted transform directory, the gateway may import and execute unintended JavaScript with gateway-process privileges.
Attack Preconditions
- Hook transforms are enabled and reachable.
- Attacker can influence transform path resolution (for example via privileged config access and/or writable filesystem path in the transform tree).
- A symlink escape exists to attacker-controlled code.
Remediation
- Enforce realpath-aware containment for existing path ancestors before dynamic import.
- Keep lexical containment checks for traversal and absolute-path escapes.
- Add regression coverage for:
- transform module symlink escape rejection,
hooks.transformsDirsymlink escape rejection,- in-root symlink allow-case.
Fix Commit(s)
f4dd0577b055f77af783105bd65eae32f3d5e6a1
OpenClaw thanks @aether-ai-agent for reporting.
Fix
Code Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Openclaw