GHSA-3H52-CX59-C456: Denial of Service via Pre-Authentication JSON Parsing in OpenClaw Feishu Extension

The @openclaw/extension-feishu module within the OpenClaw personal AI assistant exposes a webhook endpoint designed to receive event notifications from the Feishu (Lark) platform. This endpoint processes incoming HTTP requests, extracts payload data, and triggers corresponding actions within the assistant.

A structural vulnerability exists in how the extension processes unauthenticated HTTP requests prior to verifying their cryptographic signatures. The application reads and parses the request body as a JSON object before validating the x-lark-signature header provided by the Feishu platform.

This implementation pattern introduces an unauthenticated attack surface. By processing complex or excessively large JSON payloads before establishing trust, the application exposes the Node.js event loop to resource exhaustion. The vulnerability is classified as Uncontrolled Resource Consumption (CWE-400) and Insufficient Verification of Data Authenticity (CWE-345).

The root cause stems from an improper sequence of operations within the monitorWebhook function for the Feishu extension. The vulnerable implementation utilized a helper function named readJsonBodyWithLimit. This function automatically consumed the incoming HTTP request stream and invoked JSON.parse() to instantiate a JavaScript object.

Because this parsing operation occurred before the isFeishuWebhookSignatureValid function was called, the application inherently trusted the size and complexity of the incoming data. An unauthenticated attacker could submit deeply nested or exceptionally large JSON structures. Node.js processes JSON.parse() synchronously, meaning a complex payload blocks the main event loop, denying service to all other concurrent requests.

Furthermore, the original signature validation logic reconstructed the validation string by calling JSON.stringify(payload). JSON serialization is non-deterministic regarding key ordering and whitespace. This operational choice meant the stringified payload used for signature calculation might diverge from the raw bytes transmitted by Feishu, leading to false-negative validation failures or enabling potential bypass scenarios if serialization artifacts were manipulated.

The patch addresses the flaw by implementing a strict "Read-Validate-Parse" pipeline. The relevant changes in extensions/feishu/src/monitor.transport.ts demonstrate the shift from eager parsing to deferred parsing.

In the vulnerable version, the request body was parsed immediately:

// Vulnerable Implementation
const bodyResult = await readJsonBodyWithLimit(req, { limit: 1024 * 1024 });
// Signature validation occurs using the parsed object
if (!isFeishuWebhookSignatureValid({ headers: req.headers, payload: bodyResult.body, ... })) {
  // ...
}

The patched version replaces this with readRequestBodyWithLimit, which retrieves the raw byte stream as a string. Signature validation now operates directly on this raw string:

// Patched Implementation
const rawBody = await readRequestBodyWithLimit(req, { limit: 1024 * 1024 });
 
// Reject invalid signatures before any JSON parsing occurs
if (!isFeishuWebhookSignatureValid({ headers: req.headers, rawBody, ... })) {
  respondText(res, 401, "Invalid signature");
  return;
}
 
// Safe to parse only after cryptographic verification
const payload = parseFeishuWebhookPayload(rawBody);

The cryptographic hash calculation was also updated to utilize params.rawBody instead of a stringified object:

const computedSignature = crypto
  .createHash("sha256")
  .update(timestamp + nonce + encryptKey + params.rawBody)
  .digest("hex");

This exact string matching ensures cryptographic integrity and completely removes the non-deterministic JSON.stringify operation from the validation path.

Exploiting this vulnerability requires network access to the OpenClaw instance's Feishu webhook endpoint (typically /hook/feishu). The attacker does not need valid credentials or a valid Feishu signature.

The primary attack methodology focuses on resource exhaustion. The attacker crafts an HTTP POST request containing a multi-megabyte JSON payload. This payload is structurally designed to maximize the CPU cycles required by the V8 JavaScript engine's JSON.parse() implementation. Deeply nested objects or large arrays of complex data types are highly effective for this purpose.

Upon receiving the request, the vulnerable OpenClaw server begins parsing the payload. Because Node.js is single-threaded, the synchronous parsing operation blocks the event loop. High-frequency submission of these payloads ensures the event loop remains blocked indefinitely, rendering the AI assistant unresponsive to legitimate user interactions and system events.

The primary impact of this vulnerability is a Denial of Service (DoS). Successful exploitation prevents the OpenClaw service from processing legitimate requests, severely degrading the availability of the personal AI assistant. The CVSS v3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L yields a base score of 6.5, reflecting the unauthenticated, remote nature of the attack.

Beyond resource exhaustion, the cryptographic fragility introduced by JSON.stringify presents a secondary integrity risk. While the primary observed behavior is a fail-closed scenario (where valid Feishu events are rejected due to serialization mismatches), the architectural flaw theoretically allows for forged event injection.

If an attacker identified a specific JSON structure that produced a predictable stringified output matching a previously captured signature, they could bypass the authentication check. This would grant the ability to inject forged commands into the OpenClaw assistant, impersonating authorized users or triggering unauthorized workflows.

The definitive remediation is to update the OpenClaw application to a release containing commit 5e8cb22176e9235e224be0bc530699261eb60e53 or later. This patch implements the correct Read-Validate-Parse operational sequence and resolves both the DoS vector and the cryptographic verification fragility.

For environments where immediate patching is not feasible, network-level mitigations should be applied. Administrators must restrict access to the /hook/feishu endpoint using firewalls or reverse proxy access control lists (ACLs). Only traffic originating from documented and verified Feishu/Lark IP address ranges should be permitted to reach the endpoint.

Security operations teams should monitor application telemetry for anomalies indicative of exploitation attempts. Specifically, high CPU utilization spikes originating from the Node.js process, coupled with an increased volume of 401 Unauthorized or 400 Bad Request responses on the webhook path, serve as strong indicators of active resource exhaustion attacks.