PT-2026-30520 · Npm · Openclaw

Published

2026-03-26

·

Updated

2026-03-26

CVSS v4.0

8.2

High

VectorAV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Summary

Remote media HTTP error bodies were read without a hard size cap before failure handling, allowing unbounded allocation on error responses.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Affected: < 2026.3.22
  • Fixed: >= 2026.3.22
  • Latest released tag checked: v2026.3.23-2 (630f1479c44f78484dfa21bb407cbe6f171dac87)
  • Latest published npm version checked: 2026.3.23-2

Fix Commit(s)

  • 81445a901091a5d27ef0b56fceedbe4724566438

Release Status

The fix shipped in v2026.3.22 and remains present in v2026.3.23 and v2026.3.23-2.

Code-Level Confirmation

  • src/media/fetch.ts now routes non-2xx failures through bounded prefix reads instead of buffering the whole error body.
  • src/media/read-response-with-limit.ts enforces capped reads and truncates oversized snippets before surfacing failure text.
OpenClaw thanks @YLChen-007 for reporting.

Fix

Resource Exhaustion

Allocation of Resources Without Limits

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-400CWE-770

Related Identifiers

GHSA-4QWC-C7G9-4XCW

Affected Products

Openclaw