GHSA-ccx3-fw7q-rr2r: Unbounded Base64 Decoding Leading to Denial of Service in OpenClaw
Vulnerability ID: GHSA-CCX3-FW7Q-RR2R
CVSS Score: 2.3
Published: 2026-04-09
OpenClaw versions up to 2026.4.2 contain multiple code paths that fail to validate the size of base64-encoded input before allocating memory for the decoded output buffer. This flaw allows a local attacker to cause a Denial of Service (DoS) condition via memory exhaustion. The vulnerability was patched in version 2026.4.8 by introducing pre-allocation size checks.
TL;DR
A missing pre-allocation size check during base64 decoding in OpenClaw allows local attackers to trigger out-of-memory (OOM) crashes, resulting in Denial of Service. Update to version 2026.4.8 or implement request size limits at the proxy layer.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-770
- Attack Vector: Local (AV:L)
- CVSS v4.0 Score: 2.3
- Impact: Denial of Service (DoS)
- Exploit Status: Proof of Concept (PoC)
- KEV Status: Not Listed
Affected Systems
- openclaw <= v2026.4.2
-
openclaw: <= 2026.4.2 (Fixed in:
2026.4.8)
Code Analysis
Commit: d7c3210
Fix: Introduce size validation before buffer allocation in network and file processing modules
Mitigation Strategies
- Upgrade the openclaw npm package to the patched version.
- Implement payload size restrictions at the reverse proxy or API gateway layer.
- Monitor application memory usage and configure automatic restart policies for the process.
Remediation Steps:
- Identify the current version of the openclaw package via package.json.
- Run 'npm install openclaw@^2026.4.8' to install the patched version.
- Restart the Node.js application process.
- Verify that the application successfully rejects oversized base64 payloads without crashing.
References
Read the full report for GHSA-CCX3-FW7Q-RR2R on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)