CVE-2026-31995

EPSS 0.04%

OpenClaw has Windows Lobster shell fallback command injection in constrained fallback path

發布日:2026/3/3修改日:2026/3/19
也稱為:GHSA-fg3m-vhrr-8gj6

描述

### Summary On Windows, the Lobster extension previously retried certain spawn failures (`ENOENT`/`EINVAL`) with `shell: true` for wrapper compatibility. In that fallback path, tool-provided arguments could be interpreted by `cmd.exe` if fallback was triggered. ### Affected Packages / Versions - Package: `openclaw` (npm) - Latest published version at triage: `2026.2.17` - Affected range: `>= 2026.1.21 <= 2026.2.17` - Patched version: `2026.2.19` (pre-set for next release) ### Fix The Windows shell fallback was removed. Wrapper compatibility is preserved by resolving `.cmd`/`.bat` shims to a concrete Node entrypoint (or executable) and executing with explicit argv (no shell). If a safe entrypoint cannot be resolved, execution now fails closed with a guided error. ### Fix Commit(s) - `ba7be018da354ea9f803ed356d20464df0437916` ### Severity Context This issue requires Windows plus fallback-triggering conditions, and argument control through a local operator-defined workflow. OpenClaw thanks @tdjackey for reporting.

受影響套件(1)

CVSS 分數

來源版本嚴重程度向量
osvCVSS 4.0CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

參考連結(5)