DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-MFG5-7Q5G-F37J: GHSA-MFG5-7Q5G-F37J: Denial of Service via Uncontrolled WebSocket Resource Allocation in OpenClaw

#security #cve #cybersecurity #ghsa

GHSA-MFG5-7Q5G-F37J: Denial of Service via Uncontrolled WebSocket Resource Allocation in OpenClaw

Vulnerability ID: GHSA-MFG5-7Q5G-F37J
CVSS Score: 6.6
Published: 2026-03-02

A resource exhaustion vulnerability exists in the @openclaw/voice-call package, a core component of the OpenClaw telephony platform. The vulnerability arises from an improper implementation of the WebSocket protocol upgrade mechanism, specifically an "Upgrade-First, Validate-Later" design pattern. By allowing an unlimited number of unauthenticated WebSocket connections to remain in an idle "pre-start" state indefinitely, remote attackers can consume available file descriptors and memory, leading to a Denial of Service (DoS) for legitimate voice services.

TL;DR

Unauthenticated attackers can exhaust server resources by opening thousands of WebSocket connections to the OpenClaw voice stream endpoint without initiating a session. Patched in version 2026.2.22.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-400
  • CVSS: 6.6 (Medium)
  • Attack Vector: Network
  • Authentication: None Required
  • Exploit Maturity: PoC Available
  • Patch Status: Released (2026-02-23)

Affected Systems

  • @openclaw/voice-call
  • openclaw
  • @openclaw/voice-call: <= 2026.2.21 (Fixed in: 2026.2.22)
  • openclaw: <= 2026.2.21 (Fixed in: 2026.2.22)

Code Analysis

Commit: 1d8968c

fix(voice-call): limit pending media stream connections and enforce start timeout

@@ -45,6 +45,15 @@ class MediaStreamHandler {
+    // Enforce max pending connections
+    if (this.pendingConnections.size >= this.config.maxPendingConnections) {
+      socket.close(503, 'Server Busy');
+      return;
+    }
+
+    // Set timeout for start frame
+    const timeout = setTimeout(() => {
+      socket.close(1008, 'Start timeout');
+    }, this.config.preStartTimeoutMs);
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Update to patched version
  • Configure WebSocket timeouts
  • Implement rate limiting at the reverse proxy level

Remediation Steps:

  1. Upgrade @openclaw/voice-call to version 2026.2.22 or later.
  2. Upgrade the main openclaw package to version 2026.2.22.
  3. Verify configuration in plugins.entries.voice-call.config to ensure preStartTimeoutMs is set (default is now 5000ms).
  4. Restart the OpenClaw service to apply changes.

References

Read the full report for GHSA-MFG5-7Q5G-F37J on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)