GHSA-ccx3-fw7q-rr2r: openclaw: base64 pre-alloc bypass causes resource exhaustion

GHSA-ccx3-fw7q-rr2r MEDIUM
Published April 9, 2026
CISO Take

OpenClaw's npm package contains multiple base64 decode paths that allocate memory before enforcing decoded-size limits (CWE-770), enabling resource exhaustion in this local AI assistant. While the advisory explicitly scopes this to a local, non-multi-tenant trust model with no EPSS data, no public exploit, and no KEV designation, the 60 prior CVEs on this package and the documented malicious skills ecosystem (AIID #1368, ~17% malicious skills reported in Feb 2026) signal a historically vulnerable codebase that warrants prioritized patching. Upgrade to version 2026.4.8 — verified against targeted regression tests at commit d7c3210 — and audit any third-party ClawHub skills already installed.

Sources: GitHub Advisory ATLAS

What is the risk?

Medium risk overall. CWE-770 without enforced decoded-size limits can cause denial-of-service in affected OpenClaw instances through crafted base64 input. The advisory explicitly limits scope to a local, user-controlled environment, reducing blast radius compared to a server-side or multi-tenant deployment. No active exploitation is observed, and no public exploit or scanner template exists. However, OpenClaw's demonstrated third-party skill ecosystem abuse (AIID #1368) provides a realistic delivery vector, and the package's history of 60 CVEs is a structural quality signal that elevates the practical risk above what the medium CVSS label alone implies.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
OpenClaw npm < 2026.4.8 2026.4.8
4 dependents 41% patched ~3d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1
N/A
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Moderate

What should I do?

6 steps
  1. Upgrade openclaw (npm) to 2026.4.8 immediately — verify with npm list openclaw.

  2. Pin the fixed commit (d7c3210cd6f5fdfdc1beff4c9541673e814354d5) in any CI/CD pipelines that lock dependencies by hash.

  3. If patching is not immediately feasible, restrict or disable third-party skill installation from ClawHub to reduce the primary delivery vector.

  4. Monitor for anomalous memory consumption or process crashes in OpenClaw as a detection signal for exploitation attempts.

  5. Audit all currently installed skills for provenance — given AIID #1368 findings, treat any skill not sourced from a verified publisher as untrusted input.

  6. Track future advisories from @zsxsoft and @KeenSecurityLab who discovered this class of issue.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 9 - Risk Management System
ISO 42001
A.6.1 - AI System Objectives and Design
NIST AI RMF
MANAGE 2.2 - Risk Treatment
OWASP LLM Top 10
LLM04 - Model Denial of Service

Frequently Asked Questions

What is GHSA-ccx3-fw7q-rr2r?

OpenClaw's npm package contains multiple base64 decode paths that allocate memory before enforcing decoded-size limits (CWE-770), enabling resource exhaustion in this local AI assistant. While the advisory explicitly scopes this to a local, non-multi-tenant trust model with no EPSS data, no public exploit, and no KEV designation, the 60 prior CVEs on this package and the documented malicious skills ecosystem (AIID #1368, ~17% malicious skills reported in Feb 2026) signal a historically vulnerable codebase that warrants prioritized patching. Upgrade to version 2026.4.8 — verified against targeted regression tests at commit d7c3210 — and audit any third-party ClawHub skills already installed.

Is GHSA-ccx3-fw7q-rr2r actively exploited?

No confirmed active exploitation of GHSA-ccx3-fw7q-rr2r has been reported, but organizations should still patch proactively.

How to fix GHSA-ccx3-fw7q-rr2r?

1. Upgrade openclaw (npm) to 2026.4.8 immediately — verify with `npm list openclaw`. 2. Pin the fixed commit (d7c3210cd6f5fdfdc1beff4c9541673e814354d5) in any CI/CD pipelines that lock dependencies by hash. 3. If patching is not immediately feasible, restrict or disable third-party skill installation from ClawHub to reduce the primary delivery vector. 4. Monitor for anomalous memory consumption or process crashes in OpenClaw as a detection signal for exploitation attempts. 5. Audit all currently installed skills for provenance — given AIID #1368 findings, treat any skill not sourced from a verified publisher as untrusted input. 6. Track future advisories from @zsxsoft and @KeenSecurityLab who discovered this class of issue.

What systems are affected by GHSA-ccx3-fw7q-rr2r?

This vulnerability affects the following AI/ML architecture patterns: local AI assistants, agent frameworks, AI tool plugin/skills ecosystems.

What is the CVSS score for GHSA-ccx3-fw7q-rr2r?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

local AI assistantsagent frameworksAI tool plugin/skills ecosystems

MITRE ATLAS Techniques

AML.T0010.005 AI Agent Tool
AML.T0011.002 Poisoned AI Agent Tool
AML.T0029 Denial of AI Service
AML.T0034.002 Agentic Resource Consumption

Compliance Controls Affected

EU AI Act: Art. 9
ISO 42001: A.6.1
NIST AI RMF: MANAGE 2.2
OWASP LLM Top 10: LLM04

What are the technical details?

Original Advisory

## Impact Multiple Code Paths Missing Base64 Pre-Allocation Size Checks. Several base64 decode paths could allocate before enforcing decoded-size limits. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<=v2026.4.2` - Patched versions: `2026.4.8` ## Fix The issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`. ## Verification The fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary. ## Credits Thanks @zsxsoft and @KeenSecurityLab for reporting.

Exploitation Scenario

An adversary publishes a malicious skill to ClawHub containing a crafted base64-encoded payload sized to exploit the missing pre-allocation size check. When a user installs and invokes the skill, OpenClaw's decode path allocates memory proportional to the crafted payload before the size limit check executes, exhausting available memory. In a targeted scenario consistent with AIID #1368, this DoS condition serves as a smokescreen — the memory exhaustion crash disrupts the assistant while a co-delivered malicious payload (e.g., an infostealer) executes in the background to exfiltrate session tokens, browser credentials, or API keys stored locally.

Weaknesses (CWE)

CWE-770 — Allocation of Resources Without Limits or Throttling: The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

  • [Requirements] Clearly specify the minimum and maximum expectations for capabilities, and dictate which behaviors are acceptable when resource allocation reaches limits.
  • [Architecture and Design] Limit the amount of resources that are accessible to unprivileged users. Set per-user limits for resources. Allow the system administrator to define these limits. Be careful to avoid CWE-410.

Source: MITRE CWE corpus.

Timeline

Published
April 9, 2026
Last Modified
April 9, 2026
First Seen
April 9, 2026

Related Vulnerabilities