GHSA-w2cg-vxx6-5xjg
OpenClaw: denial of service through large base64 media files allocating large buffers before limit checks
Details
## Summary
Base64-backed media inputs could be decoded into Buffers before enforcing decoded-size budgets. An attacker supplying oversized base64 payloads can force large allocations, causing memory pressure and denial of service.
## Attack Scenario Notes
- Recommended deployments bind the gateway to loopback by default and require gateway auth for HTTP endpoints. In that configuration, this is best modeled as a local/authorized DoS. - If an operator exposes the gateway to untrusted networks (or disables/weakens auth and rate limits), treat this as a higher-severity network DoS risk.
## Affected Packages / Versions
- openclaw (npm): <= 2026.2.13 - clawdbot (npm): <= 2026.1.24-3
## Fixed In
- openclaw (npm): 2026.2.14 (planned) - clawdbot (npm): no patched release planned; migrate to openclaw
## Fix Commit(s)
- 31791233d60495725fa012745dde8d6ee69e9595
## Credits Thanks @vincentkoc for reporting.
Are you affected?
Enter the version of the package you're using.
Affected packages
0 No fixed version published yet for clawdbot (npm). Pin to a known-safe version or switch to an alternative.
References
- https://github.com/openclaw/openclaw/security/advisories/GHSA-w2cg-vxx6-5xjg [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2026-29612 [ADVISORY]
- https://github.com/openclaw/openclaw/commit/31791233d60495725fa012745dde8d6ee69e9595 [WEB]
- https://github.com/openclaw/openclaw [PACKAGE]
- https://github.com/openclaw/openclaw/releases/tag/v2026.2.14 [WEB]
- https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-large-base-media-file-decoding [WEB]