OpenClaw Archive Extraction Path Traversal via Symlinks

A path traversal vulnerability was identified in the openclaw package, specifically within the module responsible for extracting ZIP archives. The vulnerability is a variant of the "Zip Slip" attack (CWE-22) but relies specifically on the mishandling of symbolic links (CWE-59) rather than standard parent directory traversal sequences (../).

The affected component is the archive extraction utility used by OpenClaw to process user-uploaded content, such as third-party skills, plugins, or avatar assets. When extracting a compressed archive, the application failed to validate whether the resolved path of a file entry effectively traversed outside the intended destination directory due to symbolic links already present on the filesystem. This oversight allows an attacker to write files to arbitrary locations on the server, provided they can influence the contents of the extraction directory prior to the malicious extraction event.

The root cause of the vulnerability lies in the reliance on lexical path validation rather than canonical path resolution. The extraction logic constructed the output path using path.join(destination, entryName) and subsequently verified if the resulting string began with the destination directory string.

This approach is insufficient because it ignores the filesystem state. While path.join resolves ../ sequences, it does not resolve symbolic links. If the destination directory contains a symbolic link (e.g., link -> /etc), a file entry named link/passwd would result in a path string that lexically appears safe (e.g., /tmp/extract/link/passwd starts with /tmp/extract). However, when the operating system performs the write operation, it follows the symlink, redirecting the write to /etc/passwd.

The vulnerability highlights a Time-of-Check Time-of-Use (TOCTOU) discrepancy where the application validates the abstract path string but the operating system acts on the concrete inode structure.

The remediation introduces a defense-in-depth strategy that validates path segments against symbolic links and enforces strict file open flags. The fix is located in src/infra/archive.ts.

Vulnerable Logic (Conceptual): The original code performed a simple prefix check:

const outPath = path.join(destDir, entry.name);
if (!outPath.startsWith(destDir)) throw new Error("Invalid path");
// Proceed to write to outPath

Patched Logic: The fix introduces assertNoSymlinkTraversal, which iterates through every segment of the relative path to ensure no component is a symbolic link. It also employs O_NOFOLLOW during file creation to prevent following symlinks at the final path component.

// From src/infra/archive.ts
async function assertNoSymlinkTraversal(params: { rootDir: string; relPath: string; }) {
  const parts = params.relPath.split("/").filter(Boolean);
  let current = path.resolve(params.rootDir);
  
  // Iteratively check every path segment
  for (const part of parts) {
    current = path.join(current, part);
    // Explicitly check for symlinks
    let stat = await fs.lstat(current).catch(() => null);
    if (stat && stat.isSymbolicLink()) {
      throw new Error(`archive entry traverses symlink: ${params.originalPath}`);
    }
  }
}

Additionally, the patch resolves the real path of the destination directory before extraction begins (assertDestinationDirReady) to ensure the root itself is not a redirection.

Exploiting this vulnerability requires a "pivot" strategy where the attacker leverages the state of the filesystem. The attack proceeds in two phases:

1. Pre-seeding (The Pivot): The attacker must ensure a symbolic link exists in the target extraction directory. This might be achieved through a prior legitimate extraction (if the extractor allows symlinks but doesn't follow them), or via another vulnerability that allows creating symlinks (e.g., a lesser file upload bug).

   • Example: Create exploit_dir/target_link pointing to /root/.ssh.

2. Traversal (The Trigger): The attacker uploads a malicious ZIP file containing an entry named target_link/authorized_keys.

3. Execution: OpenClaw constructs the path exploit_dir/target_link/authorized_keys. The lexical check passes. The file write operation follows target_link to /root/.ssh and overwrites authorized_keys with the attacker's public key.

This vector is particularly dangerous in environments where users can install "skills" or plugins, as these often involve unpacking archives into a dedicated workspace.

The impact of this vulnerability is critical, potentially resulting in full system compromise.

• Arbitrary File Write: Attackers can overwrite any file the application process has write access to. This includes configuration files, source code, and binaries.
• Remote Code Execution (RCE): By overwriting ~/.ssh/authorized_keys, crontabs, or application scripts (e.g., replacing index.js), an attacker can gain persistent shell access or execute arbitrary commands.
• Data Integrity: Attackers could silently modify database files or application logic to exfiltrate data or introduce backdoors.

The severity is mitigated slightly by the requirement for a pre-existing symlink, but in automated environments or shared hosting scenarios, this condition is often satisfiable.

The vulnerability is patched in OpenClaw version 2026.1.29 and later. The fix involves strict validation of path components and the use of safe file system flags.

Immediate Actions:

1. Upgrade OpenClaw: Update the openclaw package to version 2026.1.29 or higher immediately.
2. Audit Filesystems: Scan extraction directories for unexpected symbolic links, particularly those pointing to system directories (/etc, /usr, /root).
3. Monitor Logs: Look for failed extraction attempts generating ELOOP (Too many symbolic links) or security exceptions related to path traversal, which may indicate attempted exploitation against patched systems.