GHSA-p536-vvpp-9mc8
Suggest an improvement- Source
- https://github.com/advisories/GHSA-p536-vvpp-9mc8
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-p536-vvpp-9mc8/GHSA-p536-vvpp-9mc8.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-p536-vvpp-9mc8
- Aliases
- Published
- 2026-02-19T19:40:56Z
- Modified
- 2026-03-05T21:42:20Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- OpenClaw has a Web Fetch DoS via unbounded response parsing
- Details
-
Summary
The
web_fetchtool could be used to crash the OpenClaw Gateway process (OOM / resource exhaustion) by fetching and attempting to parse attacker-controlled web pages with oversized response bodies or pathological HTML nesting.Affected Packages / Versions
- Package:
openclaw(npm) - Affected versions:
<= 2026.2.14 - Fixed versions:
>= 2026.2.15
Impact
An attacker can social-engineer a user (or any automation that uses
web_fetch) into fetching a malicious URL that returns extremely large or deeply nested HTML. The Gateway may exhaust memory or become unresponsive, causing a denial of service.Fix
The Gateway now caps the downloaded response body size before any HTML parsing and adds additional guards to avoid running Readability/DOM parsing on pathological HTML.
Fix Commit(s)
- 166cf6a3e04c7df42bea70a7ad5ce2b9df46d147
Release Process Note
This advisory is prepared for the next npm release. Once
openclaw@2026.2.15is published, publish this advisory without further edits.Thanks @xuemian168 for reporting.
- Package:
- Database specific
{ "severity": "MODERATE", "cwe_ids": [ "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2026-02-19T19:40:56Z", "nvd_published_at": null }- References
Affected packages
npm / openclaw
Package
- Name
- openclaw
- View open source insights on deps.dev
- Purl
- pkg:npm/openclaw