CVE-2026-32040

MEDIUM4.6EPSS 0.03%

OpenClaw Vulnerable to HTML injection via unvalidated image MIME type in data-URL interpolation

發布日:2026/3/3修改日:2026/3/30
也稱為:GHSA-2ww6-868g-2c56

描述

## Summary The HTML session exporter (`src/auto-reply/reply/export-html/template.js`) interpolates `img.mimeType` directly into `<img src="data:...">` attributes without validation or escaping. A crafted `mimeType` value (e.g., `x" onerror="alert(1)`) can break out of the attribute context and execute arbitrary JavaScript. ## Impact An attacker who can control image entries in session data (via crafted tool results or session manipulation) can achieve XSS when the exported HTML is opened. The precondition is tighter than the main XSS finding (requires image content blocks with a malicious mimeType), but exploitation is straightforward. ## Affected components - `src/auto-reply/reply/export-html/template.js` — line 1032 (tool result images), line 1306 (user message images) ## Reproduction 1. Craft a session entry with an image content block where `mimeType` is set to `image/png" onerror="alert(document.domain)` 2. Export the session to HTML 3. Open the exported HTML — the injected `onerror` fires ## Remediation - Added `sanitizeImageMimeType()` helper that validates mimeType against a whitelist of known image MIME types - Falls back to `application/octet-stream` for unrecognized values, preventing attribute breakout ## Fix https://github.com/openclaw/openclaw/pull/24140

受影響套件(1)

CVSS 分數

來源版本嚴重程度向量
osvCVSS 4.0CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
osvCVSS 3.1MEDIUM4.6CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

參考連結(6)