PT-2026-33671 · Npm · Openclaw

Published

2026-04-09

·

Updated

2026-04-09

CVSS v3.1

4.3

Medium

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Impact

Multiple Code Paths Missing Base64 Pre-Allocation Size Checks.
Several base64 decode paths could allocate before enforcing decoded-size limits.
OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Affected versions: <=v2026.4.2
  • Patched versions: 2026.4.8

Fix

The issue was fixed on main and is available in the patched npm version listed above. The verified fixed tree is commit d7c3210cd6f5fdfdc1beff4c9541673e814354d5.

Verification

The fix was re-checked against main before publication, including targeted regression tests for the affected security boundary.

Credits

Thanks @zsxsoft and @KeenSecurityLab for reporting.

Fix

Allocation of Resources Without Limits

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-770

Related Identifiers

GHSA-CCX3-FW7Q-RR2R

Affected Products

Openclaw