OpenClaw before 2026.3.25 parses JSON request bodies before validating webhook signatures, allowing unauthenticated attackers to force…
VulnCheck·CWE-696·Published 2026-03-29
OpenClaw before 2026.3.25 parses JSON request bodies before validating webhook signatures, allowing unauthenticated attackers to force resource-intensive parsing operations. Remote attackers can send malicious webhook requests to trigger denial of service by exhausting server resources through forced JSON parsing before signature rejection.
OpenClaw before 2026.3.25 parses JSON request bodies before validating webhook signatures, allowing unauthenticated attackers to force resource-intensive parsing operations. Remote attackers can send malicious webhook requests to trigger denial of service by exhausting server resources through forced JSON parsing before signature rejection.
## Summary Feishu webhook reads and parses unauthenticated request bodies before signature validation ## Affected Packages / Versions - Package: `openclaw` - Affected versions: `<= 2026.3.24` - First patched version: `2026.3.25` - Latest published npm version at verification time: `2026.3.24` ## Details Feishu webhook handling previously parsed JSON before signature validation, which let unauthenticated callers force full JSON parsing work before rejection. Commit `5e8cb22176e9235e224be0bc530699261eb60e53` reads the raw request body, validates the signature first, and only then parses JSON. Verified vulnerable on tag `v2026.3.24` and fixed on `main` by commit `5e8cb22176e9235e224be0bc530699261eb60e53`. ## Fix Commit(s) - `5e8cb22176e9235e224be0bc530699261eb60e53`
## Summary Feishu webhook reads and parses unauthenticated request bodies before signature validation ## Affected Packages / Versions - Package: `openclaw` - Affected versions: `<= 2026.3.24` - First patched version: `2026.3.25` - Latest published npm version at verification time: `2026.3.24` ## Details Feishu webhook handling previously parsed JSON before signature validation, which let unauthenticated callers force full JSON parsing work before rejection. Commit `5e8cb22176e9235e224be0bc530699261eb60e53` reads the raw request body, validates the signature first, and only then parses JSON. Verified vulnerable on tag `v2026.3.24` and fixed on `main` by commit `5e8cb22176e9235e224be0bc530699261eb60e53`. ## Fix Commit(s) - `5e8cb22176e9235e224be0bc530699261eb60e53`
| Version | Type | Source | Base | Exp | Impact | Vector |
|---|---|---|---|---|---|---|
| 3.1 | Primary | NVD | 7.5 | 3.9 | 3.6 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | Primary | cve.org | 5.3 | — | — | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
| 3.1 | Secondary | NVD | 5.3 | 3.9 | 1.4 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
| 4.0 | Primary | cve.org | 6.9 | — | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N |
| 4.0 | Secondary | NVD | 6.9 | — | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
| 4.0 | Secondary | GHSA | 6.9 | — | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N |