PT-2026-31355 · Npm · Openclaw
Published
2026-03-29
·
Updated
2026-03-29
CVSS v4.0
6.9
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N |
Summary
Feishu webhook reads and parses unauthenticated request bodies before signature validation
Affected Packages / Versions
- Package:
openclaw - Affected versions:
<= 2026.3.24 - First patched version:
2026.3.25 - Latest published npm version at verification time:
2026.3.24
Details
Feishu webhook handling previously parsed JSON before signature validation, which let unauthenticated callers force full JSON parsing work before rejection. Commit
5e8cb22176e9235e224be0bc530699261eb60e53 reads the raw request body, validates the signature first, and only then parses JSON.Verified vulnerable on tag
v2026.3.24 and fixed on main by commit 5e8cb22176e9235e224be0bc530699261eb60e53.Fix Commit(s)
5e8cb22176e9235e224be0bc530699261eb60e53
Fix
Resource Exhaustion
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Openclaw