GHSA-wr6m-jg37-68xh

Suggest an improvement
Source
https://github.com/advisories/GHSA-wr6m-jg37-68xh
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-wr6m-jg37-68xh/GHSA-wr6m-jg37-68xh.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-wr6m-jg37-68xh
Aliases
Downstream
Published
2026-03-02T21:49:51Z
Modified
2026-04-02T13:26:22.497827652Z
Severity
  • 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVSS Calculator
Summary
OpenClaw has unbounded memory growth in Zalo webhook via query-string key churn (unauthenticated DoS)
Details

Summary

Unauthenticated requests to a reachable Zalo webhook endpoint could trigger unbounded in-memory key growth by varying query strings on the same valid webhook route.

Impact

An attacker could cause memory pressure and potential process instability or OOM, degrading availability.

Fix

Webhook security tracking now normalizes keys to matched webhook path semantics (query excluded) and bounds/prunes tracking state to prevent unbounded growth.

Affected and Patched Versions

  • Affected: <= 2026.2.26
  • Patched: 2026.3.1
Database specific 
{
    "nvd_published_at": null,
    "github_reviewed_at": "2026-03-02T21:49:51Z",
    "cwe_ids": [
        "CWE-400"
    ],
    "severity": "MODERATE",
    "github_reviewed": true
}
References

Affected packages

npm / openclaw

Package

Name
openclaw
View open source insights on deps.dev
Purl
pkg:npm/openclaw

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2026.3.1

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-wr6m-jg37-68xh/GHSA-wr6m-jg37-68xh.json"