CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad

GHSA-Q447-RJ3R-2CGH

OpenClaw's Gluttony: Unbounded Memory Consumption in Webhooks

Alon Barad
Alon Barad
Software Engineer

Feb 18, 2026·5 min read·37 visits

Executive Summary (TL;DR)

OpenClaw listens for webhooks but doesn't check how big the message is before trying to memorize it. Attackers can send a 5GB 'hello' message, causing the server to eat all available RAM and crash (OOM).

OpenClaw (formerly ClawdBot) suffers from a critical Denial of Service vulnerability due to improper handling of incoming webhook requests. The application buffers the entire request body into memory without enforcing size limits or checking the `Content-Length` header. This architectural oversight allows an unauthenticated attacker to send a single, massive HTTP request—potentially gigabytes in size—forcing the Node.js process to allocate memory until it hits the V8 heap limit or triggers the OS Out-Of-Memory (OOM) killer, crashing the service instantly.

The Hook: When AI Bites Off More Than It Can Chew

In the rush to deploy AI agents that can talk to Telegram, Slack, and Discord simultaneously, developers often forget the cardinal rule of web services: Never trust the client.

OpenClaw (previously ClawdBot, currently Moltbot) is a popular framework for spinning up these omni-channel bots. To function, it exposes public webhook endpoints. These endpoints are the ears of the bot, waiting for a ping from Telegram saying, "Hey, user X just sent a message."

But here's the catch: To be useful, these endpoints must be publicly accessible to the internet. You can't firewall them off if you want Telegram to reach you. This exposes the application's intake mechanism to the entire world. And in OpenClaw's case, the intake mechanism had the appetite of a black hole and the stomach capacity of a thimble.

The Flaw: The 'Slurp and Burp' Architecture

The vulnerability (GHSA-q447-rj3r-2cgh) is a textbook case of Uncontrolled Resource Consumption (CWE-400). In a healthy web application, when a request comes in, the server checks the Content-Length header. If someone tries to upload a terabyte of data to a text-only endpoint, the server should laugh and sever the connection immediately (HTTP 413 Payload Too Large).

OpenClaw didn't do this. Instead, it adopted what I like to call the "Slurp and Burp" strategy.

When a request arrived at the media or webhook endpoints, the application logic instructed the Node.js process to start buffering the incoming data stream into RAM. It didn't ask "how big is this?" It just started eating.

Complicating matters, the context indicates the application was performing Base64 decoding on media payloads in memory. Base64 encoding adds roughly 33% overhead to binary data. So, if an attacker sends a large payload, the server isn't just storing the payload; it's allocating new buffers to decode it, effectively doubling down on memory usage until the V8 garbage collector waves a white flag.

The Code: Anatomy of a Crash

While the exact source code isn't public in the snippet, we can reconstruct the vulnerability based on the patch analysis. The vulnerable pattern in Node.js typically looks like this:

// THE VULNERABLE WAY
app.post('/api/webhooks/telegram', (req, res) => {
    let data = [];
    
    // 1. Event listener fires for every chunk of data received
    req.on('data', (chunk) => {
        // 2. BLINDLY push chunks to memory. 
        // No check for if (data.length > MAX_LIMIT)
        data.push(chunk);
    });
 
    req.on('end', () => {
        // 3. Concatenate and explode
        const buffer = Buffer.concat(data);
        processWebhook(buffer);
    });
});

This code is a death sentence in production. Node.js streams are powerful because they allow processing data as it flows. By manually collecting chunks into an array without a limiter, the developer turned a streaming platform into a bucket.

If you send a 10GB stream:

  1. Node receives a chunk.
  2. Node keeps the chunk in the Heap.
  3. Repeat until HEAP_OUT_OF_MEMORY.

The Exploit: Death by CURL

Exploiting this does not require advanced reverse engineering, shellcode, or complex gadget chains. It requires curl and a large file. This is the script-kiddie equivalent of a nuclear option.

First, we generate a massive garbage file. We don't even need real JSON; we just need bytes to fill the pipe.

# Generate a 4GB file of zeros
dd if=/dev/zero of=death_packet.bin bs=1G count=4

Next, we direct this firehose at the target. Since OpenClaw is listening for webhooks, we target the /api/webhooks/generic or /api/webhooks/telegram endpoint.

curl -v -X POST http://target-openclaw:3000/api/webhooks/telegram \
     -H "Content-Type: application/json" \
     --data-binary @death_packet.bin

The Server Side View:

  1. The connection opens.
  2. RAM usage spikes vertically.
  3. The CPU pegs at 100% trying to manage the GC (Garbage Collector) thrashing.
  4. The OS Kernel steps in: Out of memory: Killed process 123 (node).
  5. The service goes dark.

The Mitigation: Put the Bot on a Diet

The fix for this is two-fold: Application-level constraints and Infrastructure-level gating. You never want your application to be the first line of defense against a volumetric attack, but it shouldn't be defenseless either.

1. The Code Fix (Application Level) The patched version (2026.1.24-4) implements body size limits. If you are using body-parser or similar middleware in Express/Node, it looks like this:

// THE FIX
app.use(express.json({ limit: '10mb' }));
app.use(express.urlencoded({ limit: '10mb', extended: true }));

For raw streams, you must check the chunk length as it arrives and destroy the socket if it exceeds your tolerance.

2. The Infrastructure Fix (The Real Shield) Do not expose Node.js directly to the internet. Put Nginx, HAProxy, or a Cloud WAF in front of it. Nginx is incredibly efficient at dropping oversized requests before they ever touch your expensive application memory.

# nginx.conf
server {
    ...
    # Drop anything larger than 10MB
    client_max_body_size 10M;
    ...
}

This turns a 5GB crash attempt into a harmless 413 Request Entity Too Large error log.

Official Patches

OpenClawOfficial Changelog referencing the fix

Technical Appendix

CVSS Score
7.5/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Systems

OpenClawClawdBotMoltbotNode.js Webhook Handlers

Affected Versions Detail

Product
Affected Versions
Fixed Version
clawdbot
OpenClaw
<= 2026.1.24-32026.1.24-4
AttributeDetail
Vulnerability IDGHSA-q447-rj3r-2cgh
CWECWE-400 (Uncontrolled Resource Consumption)
CVSS7.5 (High)
Attack VectorNetwork (Unauthenticated)
ImpactDenial of Service (DoS)
Fix Version2026.1.24-4

MITRE ATT&CK Mapping

T1499Endpoint Denial of Service
Impact
T1499.003Application Exhaustion Flood
Impact
CWE-400
Uncontrolled Resource Consumption

The software does not properly control the allocation and maintenance of a limited resource thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

Known Exploits & Detection

InternalSimple curl command sending binary data to webhook endpoint

Vulnerability Timeline

OpenClaw gains popularity
2026-01-01
Vulnerability reported by Vincent Koc
2026-01-25
GHSA-q447-rj3r-2cgh Published
2026-02-09
Patched Version 2026.1.24-4 Released
2026-02-11

References & Sources

  • [1]GitHub Advisory
  • [2]Zeropath Security Analysis

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•6 days ago•CVE-2026-9354
6.9

CVE-2026-9354: Arbitrary Mass Mention Bypass in NousResearch hermes-agent Slack and Mattermost Adapters

A vulnerability in the Slack and Mattermost platform adapters for NousResearch hermes-agent permits an unauthenticated remote attacker to execute arbitrary mass mentions. By leveraging prompt injection, an attacker can bypass output sanitization logic and trigger workspace-wide notification exhaustion.

Alon Barad
Alon Barad
35 views•6 min read
•6 days ago•CVE-2026-9306
6.3

CVE-2026-9306: Unauthenticated Insecure Direct Object Reference (IDOR) in QuantumNous new-api Midjourney Relay

CVE-2026-9306 is a critical unauthenticated Insecure Direct Object Reference (IDOR) vulnerability located in the QuantumNous new-api application, affecting versions up to and including 0.12.1. The flaw is caused by improper middleware ordering combined with a lack of object-level authorization checks. This allows remote, unauthenticated attackers to retrieve sensitive Midjourney images belonging to other users by supplying a valid task identifier.

Amit Schendel
Amit Schendel
13 views•5 min read
•7 days ago•GHSA-GGXF-37HM-9WQF
6.5

GHSA-GGXF-37HM-9WQF: Session Leakage via Unsafe Challenge Path Parsing in instagrapi

The instagrapi library prior to version 2.6.9 contains an improper input validation vulnerability within its challenge handling mechanism. Maliciously crafted server responses can manipulate the client into forwarding session cookies and credentials to an external attacker-controlled domain.

Amit Schendel
Amit Schendel
21 views•6 min read
•7 days ago•GHSA-QQQM-5547-774X
9.1

GHSA-QQQM-5547-774X: Unauthenticated Path Traversal in FileBrowser Quantum PATCH Handler

GHSA-QQQM-5547-774X is a critical path traversal vulnerability in the FileBrowser Quantum application, specifically within the Go backend package. The vulnerability resides in the HTTP handler responsible for processing bulk file modifications via the public API. Unauthenticated attackers can exploit an order-of-operations flaw in the path sanitization logic to bypass intended directory restrictions. This allows adversaries to arbitrarily read, move, and overwrite files on the underlying filesystem by supplying specially crafted HTTP PATCH requests.

Alon Barad
Alon Barad
9 views•6 min read
•7 days ago•CVE-2026-8723
5.3

CVE-2026-8723: Synchronous Denial of Service in qs npm Package via TypeError

The qs query string parsing and serialization library for Node.js is vulnerable to a synchronous Denial of Service (DoS) attack. The vulnerability manifests as a process-terminating TypeError when processing arrays with null or undefined elements under specific configuration parameters.

Amit Schendel
Amit Schendel
37 views•7 min read
•7 days ago•GHSA-7M8F-HGJQ-8GC9
7.5

GHSA-7M8F-HGJQ-8GC9: Pre-Authentication Denial of Service via Insecure Deserialization Order in aiosend

The aiosend library prior to version 3.0.6 contains a pre-authentication Denial of Service (DoS) vulnerability in its webhook handling mechanism. The software processes and deserializes incoming JSON payloads before verifying the cryptographic signature, allowing unauthenticated attackers to exhaust server CPU and memory resources by sending large, complex payloads.

Amit Schendel
Amit Schendel
4 views•6 min read