DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-4HMJ-39M8-JWC7: GHSA-4HMJ-39M8-JWC7: ANSI Escape Sequence Injection in OpenClaw ACP Prompts

#security #cve #cybersecurity #ghsa

GHSA-4HMJ-39M8-JWC7: ANSI Escape Sequence Injection in OpenClaw ACP Prompts

Vulnerability ID: GHSA-4HMJ-39M8-JWC7
CVSS Score: 5.3
Published: 2026-03-29

The OpenClaw Assistant Control Protocol (ACP) CLI suffers from an ANSI escape sequence injection vulnerability due to insufficient input sanitization of tool metadata. This flaw permits an attacker to leverage Control Sequence Introducer (CSI) commands to manipulate terminal output, redress security prompts, and trick users into authorizing malicious command execution.

TL;DR

OpenClaw fails to strip cursor-manipulating ANSI sequences from tool metadata. Attackers can inject these sequences to overwrite terminal prompts, tricking users into authorizing dangerous actions (like arbitrary command execution) under the guise of benign operations.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-150 / CWE-116
  • Attack Vector: Local/Terminal via Malicious Payload
  • Impact: UI Redressing leading to Arbitrary Command Execution
  • Exploit Status: PoC Available
  • Authentication: Not Required (via Prompt Injection)
  • CVSS Base Score: 5.3 (Moderate)

Affected Systems

  • OpenClaw Assistant Control Protocol (ACP) CLI
  • npm ecosystem (openclaw package)
  • openclaw: >= 2026.2.13, <= 2026.3.24 (Fixed in: 2026.3.26)

Code Analysis

Commit: 464e2c1

Fix ANSI escape sequence injection by broadening sanitization logic to cover all CSI and OSC sequences in terminal output.

Added sanitizeTerminalText function and updated ANSI regex pattern to handle complex CSI commands.
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Upgrade the openclaw package to version 2026.3.26 or later to apply the comprehensive ANSI stripping logic.
  • Implement comprehensive terminal sanitization libraries (e.g., strip-ansi) instead of custom regex implementations.
  • Restrict the tools available to the LLM agent to follow the principle of least privilege, minimizing the impact of authorized execution.
  • Pipe terminal output through sanitization utilities if running vulnerable versions in high-security contexts.

Remediation Steps:

  1. Identify all projects utilizing the openclaw package within the affected version range (>= 2026.2.13, <= 2026.3.24).
  2. Update package dependencies in package.json to require openclaw@^2026.3.26.
  3. Execute npm install or yarn install to pull the patched dependencies.
  4. Verify the fix by submitting a test payload containing CSI sequences to the tool execution prompt and ensuring they are printed as plaintext or stripped.

References

Read the full report for GHSA-4HMJ-39M8-JWC7 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)