CVE-2026-28478

描述

### Summary Multiple webhook handlers accepted and buffered request bodies without a strict unified byte/time limit. A remote unauthenticated attacker could send oversized payloads and cause memory pressure, degrading availability. ### Details Affected packages: - `openclaw` (npm): `<2026.2.12` - `clawdbot` (npm): `<=2026.1.24-3` Root cause: - Webhook code paths buffered request payloads without consistent `maxBytes` + `timeoutMs` enforcement. - Some SDK-backed handlers parse request bodies internally and needed stream-level guards. Attack shape: - Send very large JSON payloads or slow/incomplete uploads to webhook endpoints. - Observe elevated memory usage and request handler pressure. ### Impact Remote unauthenticated availability impact (DoS) via request body amplification/memory pressure. ### Patch details (implemented) - Added shared bounded request-body helper in `src/infra/http-body.ts`. - Exported helper in `src/plugin-sdk/index.ts` for extension reuse. - Migrated webhook body readers to shared helper for: - LINE - Nextcloud Talk - Google Chat - Zalo - BlueBubbles - Nostr profile HTTP - Voice-call - Gateway hooks - Added stream guards for SDK handlers that parse request bodies internally: - Slack - Telegram - Feishu - Added explicit Express JSON body limit handling for MS Teams webhook path. - Standardized failure responses: - `413 Payload Too Large` - `408 Request Timeout` ### Tests - Added regression tests: - `src/infra/http-body.test.ts` - `src/line/monitor.read-body.test.ts` - `extensions/nextcloud-talk/src/monitor.read-body.test.ts` - Focused webhook/security test suite passes for patched paths. ### Remediation Upgrade to the first release containing this patch. ## Credits Thanks @vincentkoc for reporting.

受影響套件(2)

• npm/clawdbotfrom 0, <= 2026.1.24-3
• npm/openclawfrom 0, < 2026.2.13

CVSS 分數

參考連結(2)

• PATCHhttps://github.com/openclaw/openclaw
• WEBhttps://github.com/openclaw/openclaw/security/advisories/GHSA-q447-rj3r-2cgh