GHSA-MFG5-7Q5G-F37J: Denial of Service via Uncontrolled WebSocket Resource Allocation in OpenClaw

The OpenClaw platform utilizes the @openclaw/voice-call package to handle real-time media streaming via WebSockets. This component is responsible for accepting incoming audio streams for voice calls. In versions prior to 2026.2.22, the MediaStreamHandler class exposed a critical flaw in its connection lifecycle management.

The vulnerability is classified as a Resource Exhaustion Denial of Service (CWE-400). It exploits the disparity between the cost of establishing a WebSocket connection and the server's failure to enforce resource limits on connections that have completed the HTTP upgrade handshake but have not yet authenticated or begun transmitting data. Because the server allocated resources (memory buffers, file descriptors, and event loop cycles) immediately upon connection upgrade—rather than deferring allocation until after validation—the application was susceptible to trivial flooding attacks.

The root cause is a logic error in the WebSocket handshake process, specifically the lack of an idle timeout for "pre-start" connections. The normal lifecycle of an OpenClaw media stream is:

1. Client initiates HTTP Upgrade request to /voice/stream.
2. Server accepts upgrade and establishes WebSocket.
3. Client sends a JSON start event containing metadata and authentication tokens.
4. Server validates the start event and begins processing audio.

In the vulnerable implementation, the server enforced no time limit between Step 2 and Step 3. An attacker could complete Step 2 and simply hang the connection. The MediaStreamHandler would maintain the socket in memory indefinitely, waiting for a start event that never arrives. Furthermore, there were no global or per-IP limits on the number of these "pending" connections, allowing a single attacker to saturate the Node.js process's concurrent connection pool.

The patch introduced in version 2026.2.22 implements a strict state machine with timeouts. Below is a reconstruction of the remediation logic applied to the MediaStreamHandler.

Vulnerable Logic (Conceptual):

// The server upgrades the connection and simply waits for events.
// No timers are set to ensure the client actually sends data.
wss.on('connection', (ws) => {
  ws.on('message', (message) => {
    const event = JSON.parse(message);
    if (event.type === 'start') {
       // Validation happens here, too late in the lifecycle
       validateAndStartStream(ws, event);
    }
  });
});

Patched Logic: The fix introduces a preStartTimeout and a pendingConnections counter. The server now tracks sockets that have upgraded but not yet sent the start frame.

// New configuration parameters
const PRE_START_TIMEOUT = 5000; // 5 seconds
const MAX_PENDING = 32;
 
wss.on('connection', (ws, req) => {
  // 1. Check Global Limits
  if (this.pendingConnections.size >= MAX_PENDING) {
    ws.close(503, 'Server Busy');
    return;
  }
 
  // 2. Track this pending connection
  this.pendingConnections.add(ws);
 
  // 3. Set a "Time to Live" for the pre-start state
  const timeout = setTimeout(() => {
    if (!ws.isStarted) {
      // Force close if 'start' event not received in 5s
      ws.close(1008, 'Start timeout');
      this.pendingConnections.delete(ws);
    }
  }, PRE_START_TIMEOUT);
 
  ws.on('message', (message) => {
    // If valid 'start' received, clear timeout and move to active state
    if (isValidStart(message)) {
      clearTimeout(timeout);
      this.pendingConnections.delete(ws);
      // ... proceed with stream ...
    }
  });
});

This creates a "use it or lose it" policy for network resources. If a client does not authenticate within 5 seconds, the server aggressively reclaims the resources.

Exploiting this vulnerability requires no authentication and can be performed with standard network tools or simple scripts. The attacker targets the WebSocket endpoint (default /voice/stream).

Attack Steps:

1. Reconnaissance: Identify the OpenClaw instance and the media stream path.
2. Connection Flooding: The attacker opens a WebSocket connection but disables the automatic sending of any initial frames.
3. Resource Holding: The attacker repeats this process, opening thousands of simultaneous connections. Since the server does not close them, the connection count rises monotonically.
4. Denial of Service: Once the server hits its file descriptor limit (typically 1024 or 4096 on default Linux configurations) or the Node.js heap limit, the application crashes or becomes unresponsive to legitimate traffic.

A Proof-of-Concept (PoC) script would look like this using the ws library:

const WebSocket = require('ws');
const target = 'ws://vulnerable-openclaw.local/voice/stream';
const sockets = [];
 
// Open 5000 idle connections
for (let i = 0; i < 5000; i++) {
  const ws = new WebSocket(target);
  ws.on('open', () => {
    console.log(`Socket ${i} open and holding...`);
    // Intentionally DO NOT send 'start' event
  });
  sockets.push(ws);
}

The impact is strictly limited to Availability. There is no risk to Confidentiality or Integrity, as the attacker cannot read existing stream data or inject audio into other calls without valid session tokens.

However, the availability impact is High.

• Service Outage: Voice services are real-time critical. Even a temporary exhaustion of resources causes dropped calls and prevents new calls from connecting.
• Infrastructure Instability: If the OpenClaw instance is co-located with other services, the exhaustion of file descriptors (FDs) is an operating-system-level event that can crash adjacent processes or the reverse proxy (e.g., Nginx) fronting the application.
• Recovery: Recovering from the attack typically requires restarting the service to flush the stuck connections, resulting in downtime.