{"id":"GHSA-659f-22xc-98f2","summary":"OpenClaw hook transform path containment missed symlink-resolved escapes","details":"## Vulnerability\n\nWebhook transform modules were validated with lexical path checks only. A symlink under the allowed hooks transform tree could resolve outside the intended directory and be dynamically imported.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `\u003c= 2026.2.21-2`\n- Patched version (planned next release): `2026.2.22`\n\n## Impact\n\nWhen an attacker can cause a transform module path to reference a symlinked entry that resolves outside the trusted transform directory, the gateway may import and execute unintended JavaScript with gateway-process privileges.\n\n## Attack Preconditions\n\n- Hook transforms are enabled and reachable.\n- Attacker can influence transform path resolution (for example via privileged config access and/or writable filesystem path in the transform tree).\n- A symlink escape exists to attacker-controlled code.\n\n## Remediation\n\n- Enforce realpath-aware containment for existing path ancestors before dynamic import.\n- Keep lexical containment checks for traversal and absolute-path escapes.\n- Add regression coverage for:\n  - transform module symlink escape rejection,\n  - `hooks.transformsDir` symlink escape rejection,\n  - in-root symlink allow-case.\n\n## Fix Commit(s)\n\n- `f4dd0577b055f77af783105bd65eae32f3d5e6a1`\n\nOpenClaw thanks @aether-ai-agent for reporting.","modified":"2026-03-04T15:13:19.961962Z","published":"2026-03-03T23:00:53Z","database_specific":{"github_reviewed":true,"severity":"HIGH","cwe_ids":["CWE-94"],"github_reviewed_at":"2026-03-03T23:00:53Z","nvd_published_at":null},"references":[{"type":"WEB","url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-659f-22xc-98f2"},{"type":"WEB","url":"https://github.com/openclaw/openclaw/commit/f4dd0577b055f77af783105bd65eae32f3d5e6a1"},{"type":"PACKAGE","url":"https://github.com/openclaw/openclaw"}],"affected":[{"package":{"name":"openclaw","ecosystem":"npm","purl":"pkg:npm/openclaw"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"2026.2.22"}]}],"database_specific":{"last_known_affected_version_range":"\u003c= 2026.2.21-2","source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-659f-22xc-98f2/GHSA-659f-22xc-98f2.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}]}