GHSA-qcc3-jqwp-5vh2: Unauthenticated Resource Exhaustion via LINE Webhook Handler in OpenClaw
Vulnerability ID: GHSA-QCC3-JQWP-5VH2
CVSS Score: 5.3
Published: 2026-04-02
The OpenClaw personal AI assistant platform contains a resource exhaustion vulnerability in its LINE webhook handler. The application fails to enforce concurrency limits prior to processing unauthenticated HTTP POST requests, allowing an attacker to cause a Denial of Service (DoS) through rapid CPU and memory consumption.
TL;DR
Unauthenticated attackers can trigger severe Denial of Service in OpenClaw by sending high-concurrency requests to the LINE webhook handler. The lack of a pre-authentication resource budget causes the server to exhaust memory and CPU while performing cryptographic signature verification.
Technical Details
- CWE IDs: CWE-400, CWE-770, CWE-347
- Attack Vector: Network
- CVSS Score: 5.3 (Medium)
- Privileges Required: None
- User Interaction: None
- Impact: Denial of Service (Availability)
Affected Systems
- OpenClaw Application Server
- Node.js Event Loop
- LINE Webhook Integration
-
openclaw: < 2026.3.31 (Fixed in:
2026.3.31)
Code Analysis
Commit: 57c47d8
Fix: Implement shared pre-auth concurrency budget for LINE webhook handler
Mitigation Strategies
- Software Update
- Reverse Proxy Rate Limiting
- WAF Rate Limiting
Remediation Steps:
- Identify the deployed version of the
openclawpackage in the application environment. - Upgrade the dependency to version
2026.3.31via the package manager (npm install openclaw@2026.3.31). - Restart the Node.js application server to apply the updated logic.
- Monitor application logs for HTTP 429 responses on the
/line/webhookendpoint to verify the limiter is functioning.
References
Read the full report for GHSA-QCC3-JQWP-5VH2 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)