DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-Q447-RJ3R-2CGH: OpenClaw's Gluttony: Unbounded Memory Consumption in Webhooks

#security #cve #cybersecurity #ghsa

OpenClaw's Gluttony: Unbounded Memory Consumption in Webhooks

Vulnerability ID: GHSA-Q447-RJ3R-2CGH
CVSS Score: 7.5
Published: 2026-02-18

OpenClaw (formerly ClawdBot) suffers from a critical Denial of Service vulnerability due to improper handling of incoming webhook requests. The application buffers the entire request body into memory without enforcing size limits or checking the Content-Length header.

This architectural oversight allows an unauthenticated attacker to send a single, massive HTTP request—potentially gigabytes in size—forcing the Node.js process to allocate memory until it hits the V8 heap limit or triggers the OS Out-Of-Memory (OOM) killer, crashing the service instantly.

TL;DR

OpenClaw listens for webhooks but doesn't check how big the message is before trying to memorize it. Attackers can send a 5GB 'hello' message, causing the server to eat all available RAM and crash (OOM).

⚠️ Exploit Status: POC

Technical Details

  • Vulnerability ID: GHSA-q447-rj3r-2cgh
  • CWE: CWE-400 (Uncontrolled Resource Consumption)
  • CVSS: 7.5 (High)
  • Attack Vector: Network (Unauthenticated)
  • Impact: Denial of Service (DoS)
  • Fix Version: 2026.1.24-4

Affected Systems

  • OpenClaw
  • ClawdBot
  • Moltbot
  • Node.js Webhook Handlers
  • clawdbot: <= 2026.1.24-3 (Fixed in: 2026.1.24-4)

Exploit Details

  • Internal: Simple curl command sending binary data to webhook endpoint

Mitigation Strategies

  • Implement strict request body size limits in the application middleware.
  • Deploy a reverse proxy (Nginx/Apache) to enforce client_max_body_size at the edge.
  • Enforce authentication (Webhook Secrets) to validate sources before parsing bodies.

Remediation Steps:

  1. Stop the running OpenClaw instance.
  2. Update the clawdbot package to version 2026.1.24-4 or later.
  3. If using Docker, pull the latest openclaw image.
  4. Verify configuration ensures webhookSecret is set and enforced.
  5. Restart the service and monitor RAM usage.

References

Read the full report for GHSA-Q447-RJ3R-2CGH on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)