The Infinite Matryoshka: Unpacking OpenClaw's Zip Bomb Vulnerability

Vulnerability ID: GHSA-H89V-J3X9-8WQJ
CVSS Score: 7.5
Published: 2026-02-18

A classic case of 'trusting the input' leads to Denial of Service and potential file overwrite in the OpenClaw and Clawdbot ecosystem. By failing to validate archive contents before extraction, the application becomes susceptible to 'Zip Bombs'—tiny files that expand into petabytes of garbage—and directory traversal attacks that can escape the sandbox.

TL;DR

OpenClaw versions <= 2026.2.13 allow unauthenticated users (in some configurations) or low-privileged users to upload malicious archives. These archives can either be 'Zip Bombs' that crash the server by exhausting disk/memory, or contain path traversal payloads (../../) to overwrite sensitive system files. The fix enforces strict resource budgets and path sanitization.

⚠️ Exploit Status: POC

Technical Details

• CWE ID: CWE-409 (Zip Bomb) / CWE-22 (Path Traversal)
• CVSS Score: 7.5 (High)
• Attack Vector: Network (via File Upload)
• Impact: Denial of Service & File Overwrite
• Exploit Status: No public PoC, but trivial to exploit
• Patch Date: 2026-02-14

Affected Systems

• OpenClaw Automation Server
• Clawdbot Runtime
• Any Node.js application using vulnerable versions of openclaw library
• openclaw: <= 2026.2.13 (Fixed in: 2026.2.14)
• clawdbot: <= 2026.1.24-3 (Fixed in: Latest)

Code Analysis

Commit: d3ee5de

feat(infra): enforce extraction resource limits

+ const budgetStream = new Transform({ ... })
+ if (stats.size > limits.maxArchiveBytes) throw ...

Commit: 5f4b291

test(infra): coverage for archive size and absolute paths

+ it('should reject archive exceeding size limit', ...)

Exploit Details

• General Knowledge: Standard Zip Bomb techniques apply (42.zip, recursive deflation)

Mitigation Strategies

• Input Validation: Verify archive headers and rejected unsafe file types (symlinks, devices).
• Resource Quotas: Enforce strict limits on uncompressed size, entry count, and recursion depth.
• Sandboxing: Ensure extraction occurs in a temporary directory with restricted write permissions.
• Stream Accounting: Use Transform streams to count bytes in real-time and abort if limits are exceeded.

Remediation Steps:

1. Update openclaw package to version 2026.2.14 or later.
2. Update clawdbot to the latest stable release.
3. Restart the application service to ensure new code is loaded.
4. Verify that node-tar or zip handling logic now includes the maxArchiveBytes constraints.

References

• GitHub Advisory: GHSA-h89v-j3x9-8wqj
• OpenClaw Repository

Read the full report for GHSA-H89V-J3X9-8WQJ on our website for more details including interactive diagrams and full exploit analysis.