GHSA-ccx3-fw7q-rr2r — MEDIUM

Q: Is GHSA-ccx3-fw7q-rr2r actively exploited?

No confirmed active exploitation of GHSA-ccx3-fw7q-rr2r has been reported, but organizations should still patch proactively.

Q: How to fix GHSA-ccx3-fw7q-rr2r?

1. Upgrade openclaw (npm) to 2026.4.8 immediately — verify with `npm list openclaw`. 2. Pin the fixed commit (d7c3210cd6f5fdfdc1beff4c9541673e814354d5) in any CI/CD pipelines that lock dependencies by hash. 3. If patching is not immediately feasible, restrict or disable third-party skill installation from ClawHub to reduce the primary delivery vector. 4. Monitor for anomalous memory consumption or process crashes in OpenClaw as a detection signal for exploitation attempts. 5. Audit all currently installed skills for provenance — given AIID #1368 findings, treat any skill not sourced from a verified publisher as untrusted input. 6. Track future advisories from @zsxsoft and @KeenSecurityLab who discovered this class of issue.

Q: What systems are affected by GHSA-ccx3-fw7q-rr2r?

This vulnerability affects the following AI/ML architecture patterns: local AI assistants, agent frameworks, AI tool plugin/skills ecosystems.

Q: What is the CVSS score for GHSA-ccx3-fw7q-rr2r?

No CVSS score has been assigned yet.

CISO Take

OpenClaw's npm package contains multiple base64 decode paths that allocate memory before enforcing decoded-size limits (CWE-770), enabling resource exhaustion in this local AI assistant. While the advisory explicitly scopes this to a local, non-multi-tenant trust model with no EPSS data, no public exploit, and no KEV designation, the 60 prior CVEs on this package and the documented malicious skills ecosystem (AIID #1368, ~17% malicious skills reported in Feb 2026) signal a historically vulnerable codebase that warrants prioritized patching. Upgrade to version 2026.4.8 — verified against targeted regression tests at commit d7c3210 — and audit any third-party ClawHub skills already installed.

Sources: GitHub Advisory ATLAS

What is the risk?

Medium risk overall. CWE-770 without enforced decoded-size limits can cause denial-of-service in affected OpenClaw instances through crafted base64 input. The advisory explicitly limits scope to a local, user-controlled environment, reducing blast radius compared to a server-side or multi-tenant deployment. No active exploitation is observed, and no public exploit or scanner template exists. However, OpenClaw's demonstrated third-party skill ecosystem abuse (AIID #1368) provides a realistic delivery vector, and the package's history of 60 CVEs is a structural quality signal that elevates the practical risk above what the medium CVSS label alone implies.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
openclaw	npm	< 2026.4.8	`2026.4.8`
4 dependents 91% patched ~0d to patch Full package profile →

Do you use openclaw? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

What should I do?

6 steps

Upgrade openclaw (npm) to 2026.4.8 immediately — verify with npm list openclaw.
Pin the fixed commit (d7c3210cd6f5fdfdc1beff4c9541673e814354d5) in any CI/CD pipelines that lock dependencies by hash.
If patching is not immediately feasible, restrict or disable third-party skill installation from ClawHub to reduce the primary delivery vector.
Monitor for anomalous memory consumption or process crashes in OpenClaw as a detection signal for exploitation attempts.
Audit all currently installed skills for provenance — given AIID #1368 findings, treat any skill not sourced from a verified publisher as untrusted input.
Track future advisories from @zsxsoft and @KeenSecurityLab who discovered this class of issue.

Classification

DoS Supply Chain Agent Plugin AML.T0010.005 - AI Agent Tool AML.T0011.002 - Poisoned AI Agent Tool AML.T0029 - Denial of AI Service AML.T0034.002 - Agentic Resource Consumption

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 9 - Risk Management System

ISO 42001

A.6.1 - AI System Objectives and Design

NIST AI RMF

MANAGE 2.2 - Risk Treatment

OWASP LLM Top 10

LLM04 - Model Denial of Service

Related AI Incidents (1)

Malicious OpenClaw Skills Reportedly Delivered AMOS Stealer and Exfiltrated Credentials via ClawHub

Feb 2026 Unknown threat actors distributing malicious OpenClaw skills, Unknown threat actors, Unknown malicious actors medium confidence

AIID #1368 documents exploitation of OpenClaw's third-party ClawHub skills ecosystem to deliver AMOS stealer malware — the same skill delivery channel that could carry base64 payloads triggering this resource exhaustion vulnerability. Both share the malicious skill supply chain as primary attack surface, and the DoS condition from this CVE could serve as a distraction layer in a composite attack.

AIID #1368

Source: AI Incident Database (AIID)

Frequently Asked Questions

What is GHSA-ccx3-fw7q-rr2r?

OpenClaw's npm package contains multiple base64 decode paths that allocate memory before enforcing decoded-size limits (CWE-770), enabling resource exhaustion in this local AI assistant. While the advisory explicitly scopes this to a local, non-multi-tenant trust model with no EPSS data, no public exploit, and no KEV designation, the 60 prior CVEs on this package and the documented malicious skills ecosystem (AIID #1368, ~17% malicious skills reported in Feb 2026) signal a historically vulnerable codebase that warrants prioritized patching. Upgrade to version 2026.4.8 — verified against targeted regression tests at commit d7c3210 — and audit any third-party ClawHub skills already installed.

Is GHSA-ccx3-fw7q-rr2r actively exploited?

No confirmed active exploitation of GHSA-ccx3-fw7q-rr2r has been reported, but organizations should still patch proactively.

How to fix GHSA-ccx3-fw7q-rr2r?

1. Upgrade openclaw (npm) to 2026.4.8 immediately — verify with `npm list openclaw`. 2. Pin the fixed commit (d7c3210cd6f5fdfdc1beff4c9541673e814354d5) in any CI/CD pipelines that lock dependencies by hash. 3. If patching is not immediately feasible, restrict or disable third-party skill installation from ClawHub to reduce the primary delivery vector. 4. Monitor for anomalous memory consumption or process crashes in OpenClaw as a detection signal for exploitation attempts. 5. Audit all currently installed skills for provenance — given AIID #1368 findings, treat any skill not sourced from a verified publisher as untrusted input. 6. Track future advisories from @zsxsoft and @KeenSecurityLab who discovered this class of issue.

What systems are affected by GHSA-ccx3-fw7q-rr2r?

This vulnerability affects the following AI/ML architecture patterns: local AI assistants, agent frameworks, AI tool plugin/skills ecosystems.

What is the CVSS score for GHSA-ccx3-fw7q-rr2r?

No CVSS score has been assigned yet.

AI Security Impact

Affected AI Architectures

local AI assistantsagent frameworksAI tool plugin/skills ecosystems

MITRE ATLAS Techniques

AML.T0010.005 AI Agent Tool

AML.T0011.002 Poisoned AI Agent Tool

AML.T0029 Denial of AI Service

AML.T0034.002 Agentic Resource Consumption

Compliance Controls Affected

EU AI Act: Art. 9

ISO 42001: A.6.1

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM04

Technical Details

Original Advisory

## Impact Multiple Code Paths Missing Base64 Pre-Allocation Size Checks. Several base64 decode paths could allocate before enforcing decoded-size limits. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<=v2026.4.2` - Patched versions: `2026.4.8` ## Fix The issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`. ## Verification The fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary. ## Credits Thanks @zsxsoft and @KeenSecurityLab for reporting.

Exploitation Scenario

An adversary publishes a malicious skill to ClawHub containing a crafted base64-encoded payload sized to exploit the missing pre-allocation size check. When a user installs and invokes the skill, OpenClaw's decode path allocates memory proportional to the crafted payload before the size limit check executes, exhausting available memory. In a targeted scenario consistent with AIID #1368, this DoS condition serves as a smokescreen — the memory exhaustion crash disrupts the assistant while a co-delivered malicious payload (e.g., an infostealer) executes in the background to exfiltrate session tokens, browser credentials, or API keys stored locally.