GHSA-5847-RM3G-23MW: Authentication Rate Limit Bypass via IPv6-Mapped Address

The OpenClaw framework implements a rate-limiting mechanism to protect its hook authentication endpoints from brute-force attacks. This system tracks authentication failures associated with client IP addresses and blocks access after a defined threshold is reached. The integrity of this protection relies on the system's ability to uniquely and consistently identify a client based on their network address.

The vulnerability, identified as GHSA-5847-RM3G-23MW, resides in the failure to canonicalize IP address strings before using them as lookup keys in the rate limit storage. OpenClaw accepts connections via Node.js sockets, which may report the remote address in different formats depending on the network stack configuration and the ingress method.

Specifically, the system treats the standard IPv4 representation (e.g., 192.168.1.1) and the IPv4-mapped IPv6 representation (e.g., ::ffff:192.168.1.1) as two distinct entities. This logical error creates a split-horizon view of the attacker, where a single physical source controls multiple virtual identities within the rate limiter's state, undermining the security policy intended to throttle excessive authentication attempts.

The root cause is an Input Validation vulnerability classified under CWE-307 (Improper Restriction of Excessive Authentication Attempts) and implied CWE-287 (Improper Authentication). The issue stems from the direct usage of the req.socket.remoteAddress property in Node.js as a cache key without normalization.

In dual-stack network environments, operating systems may represent IPv4 addresses embedded within IPv6 structures. These are known as IPv4-mapped IPv6 addresses, typically formatted with the prefix ::ffff:. While 1.2.3.4 and ::ffff:1.2.3.4 refer to the exact same host, they are distinct strings. The OpenClaw rate limiter utilized a Javascript Map or similar key-value store where keys are strictly typed strings.

Prior to the patch, the application logic retrieved the client IP and performed only a basic whitespace trim. It did not attempt to parse the IP or collapse mapped addresses into their canonical IPv4 form. Consequently, the rate limiter instantiated separate counters for each string variant. This behavior violates the principle that security controls must operate on canonical data representations to prevent evasion via encoding or formatting manipulation.

The vulnerability existed in src/gateway/auth-rate-limit.ts where the client IP was extracted. The original code simply used the raw string provided by the socket interface.

Vulnerable Implementation:

// src/gateway/auth-rate-limit.ts (Pre-patch)
function normalizeIp(ip: string | undefined): string {
  // Flaw: Only trims whitespace; does not resolve mapped IPs
  return (ip ?? "").trim() || "unknown";
}

The patch addresses this by introducing a robust normalization step. The fix involves importing a resolveClientIp utility from a centralized networking module. This utility parses the address and converts IPv4-mapped IPv6 addresses back to their standard IPv4 notation before the rate limiter processes them.

Patched Implementation:

// src/gateway/auth-rate-limit.ts (Fixed in commit 3284d2eb)
import { isLoopbackAddress, resolveClientIp } from "./net.js";
 
export function normalizeRateLimitClientIp(ip: string | undefined): string {
  // Fix: Canonicalizes the IP using centralized logic
  return resolveClientIp({ remoteAddr: ip }) ?? "unknown";
}
 
// The rate limiter now uses the normalized output as the key
function normalizeIp(ip: string | undefined): string {
  return normalizeRateLimitClientIp(ip);
}

By ensuring that ::ffff:1.2.3.4 resolves to 1.2.3.4, the application guarantees that both request formats increment the same failure counter, enforcing the rate limit correctly.

An attacker can exploit this vulnerability to extend the window for a brute-force attack against hook authentication tokens. The exploitation process involves toggling the network formatting of the source IP address.

First, the attacker initiates a series of authentication requests using standard IPv4 connectivity. They continue until the server responds with HTTP 429 (Too Many Requests), indicating the rate limit bucket for the IPv4 address is exhausted. In a standard configuration, this might happen after 20 attempts.

Next, the attacker modifies their network client to force the usage of IPv6 mapping, or routes traffic through a local proxy that presents the address as ::ffff:<IP>. The OpenClaw server receives the connection, sees the new string representation, and checks its internal store. Finding no existing record for this "new" client, it initializes a fresh bucket with a full quota of attempts.

This effectively doubles the number of guesses an attacker can make per IP address per lockout window. While this does not grant infinite attempts, it significantly degrades the efficacy of the rate limiting mechanism, especially when combined with a distributed botnet where every node can now perform 2x the work.

The primary impact of GHSA-5847-RM3G-23MW is the weakening of the application's defense against credential stuffing and brute-force attacks. By circumventing the intended request limits, attackers increase the probability of successfully guessing valid authentication tokens for OpenClaw hooks.

Security Scope:

• Confidentiality: Compromised authentication tokens could allow attackers to read sensitive data exposed via hooks.
• Integrity: Attackers with valid tokens could trigger unauthorized actions or inject malicious data into the AI agent workflow.
• Availability: While primarily an authentication bypass, the ability to send twice the volume of requests before blocking could marginally increase the load on the system during a DoS attempt, though this is secondary to the authentication risk.

The severity is classified as Medium to High depending on the sensitivity of the actions protected by the hook authentication. If the hooks allow for remote code execution or modification of critical agent behavior, the risk is elevated.