GHSA-V892-HWPG-JWQP: Zip Slip Path Traversal in OpenClaw Archive Extraction

OpenClaw is an open-source personal AI assistant that supports modular extensions through skills, plugins, and internal tools. A security assessment revealed a critical Arbitrary File Write vulnerability, commonly known as 'Zip Slip', within the application's archive extraction routines. This mechanism is primarily used when the application downloads and installs external assets, such as community skills or tools like signal-cli.

The vulnerability arises because the extraction logic blindly trusts the file paths specified within archive entries. When OpenClaw unpacks a compressed file (ZIP or TAR), it constructs the destination path by concatenating the target directory with the entry's name. If an attacker crafts an archive entry with a name like ../../../../root/.ssh/authorized_keys, the application writes the file content to that resolved path, bypassing the intended sandbox directory.

Simultaneously, related path traversal issues were identified in the Browser Tool component. The /hooks/file-chooser endpoint lacked path confinement for uploads, and the download manager accepted suggested filenames containing traversal sequences, further expanding the attack surface for local file system manipulation.

The root cause of this vulnerability is the absence of canonical path validation during the file extraction process. This falls under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory).

In a secure extraction implementation, the application must perform the following steps for every entry in an archive:

1. Decode the entry name.
2. Resolve the full destination path (Base Directory + Entry Name).
3. Normalize the resulting path to remove relative segments (. and ..).
4. Verify that the normalized path still begins with the Base Directory path.

OpenClaw failed to implement step 4. Specifically, the extraction logic utilized unzip (or JS equivalents) and tar commands without flags or logic to strip directory components or validate the final destination. Consequently, the filesystem APIs treated the traversal sequences as valid instructions to navigate up the directory tree, allowing files to escape the targetDir confinement.

The vulnerability was remediated in version 2026.2.14 by introducing a centralized, secure extraction utility in infra/archive.ts. The patch replaces the insecure extraction calls with a validation routine that strictly enforces path confinement.

The following code snippet demonstrates the logic used to validate archive entries before writing them to disk. It normalizes paths and explicitly checks for traversal attempts:

// src/infra/archive.ts (Patched Logic)
 
function validateArchiveEntryPath(entryPath: string, targetDir: string): void {
  // 1. Normalize separators to forward slashes
  // 2. Normalize relative segments (collapsing '..')
  const normalized = path.posix.normalize(entryPath.replaceAll("\\", "/"));
 
  // Check 1: Prevent immediate traversal indicators
  if (normalized === ".." || normalized.startsWith("../")) {
    throw new Error(`Security Violation: Archive entry escapes destination: ${entryPath}`);
  }
 
  // Check 2: Prevent absolute paths
  if (path.posix.isAbsolute(normalized)) {
    throw new Error(`Security Violation: Archive entry is absolute: ${entryPath}`);
  }
 
  // Check 3: Symlink and Hardlink restriction (Pseudo-code for logic)
  // The patch also rejects entries identified as symlinks or hardlinks 
  // to prevent 'Symlink Slip' attacks.
}

Additionally, the patch enforces strict directory confinement for other file operations. Downloads are now locked to /tmp/openclaw/downloads, and uploads are restricted to /tmp/openclaw/uploads, ensuring that temporary file operations cannot impact the host OS configuration.

To exploit this vulnerability, an attacker must induce the OpenClaw application to extract a malicious archive. This is typically achieved by distributing a compromised 'skill' or plugin via a community repository or by manipulating a download URL if the attacker has a Man-in-the-Middle (MitM) position or control over an update server.

Attack Scenario:

1. Archive Creation: The attacker creates a ZIP file containing a payload (e.g., a reverse shell script or a new SSH key).
2. Path Manipulation: The attacker modifies the internal filename of the payload to ../../../../../../bin/malicious_script.sh.
3. Delivery: The attacker publishes this archive as a new OpenClaw skill.
4. Execution: The victim runs openclaw skills install <malicious-skill>.
5. Extraction: OpenClaw downloads the ZIP and extracts it. The extractor follows the directory traversal path and writes malicious_script.sh to the system's /bin directory, overwriting any existing file or creating a new one.

Due to the permissions typically required by OpenClaw to manage system tools, the overwritten files often execute with high privileges, leading to immediate system compromise.

The impact of this vulnerability is rated as High. The ability to write arbitrary files to the filesystem provides attackers with multiple avenues to achieve Remote Code Execution (RCE).

• System Compromise: Overwriting ~/.ssh/authorized_keys allows direct SSH access.
• Persistence: Injecting malicious scripts into startup folders or .bashrc ensures code execution upon user login.
• Denial of Service: Overwriting critical system binaries or libraries can render the host operating system unstable or unbootable.
• Data Integrity: Configuration files for OpenClaw or other applications can be modified to disable security controls or redirect data.

The vulnerability is particularly dangerous in environments where OpenClaw runs with elevated privileges or in containerized environments where the container filesystem is not read-only.