Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.7
OpenClaw ZIP Extraction Can Write Outside Intended Directory
GHSA-r54r-wmmq-mh84
Summary
A vulnerability in OpenClaw's ZIP extraction feature can allow attackers to write files outside the intended directory. This is a security risk because it can lead to unauthorized data tampering. To fix this, update to version 2026.3.2 or later of OpenClaw.
What to do
- Update openclaw to version 2026.3.2.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | <= 2026.3.1 | 2026.3.2 |
Original title
OpenClaw: ZIP extraction race could write outside destination via parent symlink rebind
Original description
### Summary
ZIP extraction in OpenClaw could be raced into writing outside the intended destination directory via parent-directory symlink rebind between validation and write.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Vulnerable versions: `<= 2026.3.1`
- Latest published vulnerable version confirmed: `2026.3.1` (npm as of 2026-03-02)
- Patched version: `2026.3.2` (released)
### Technical Details
In `src/infra/archive.ts`, ZIP extraction previously validated output paths, then later opened/truncated the destination path in a separate step. A local race on parent-directory symlink state could redirect the final write outside the extraction root.
The fix hardens ZIP writes by binding writes to the opened file handle identity and avoiding the pre-write truncate race path, with shared fd realpath verification in `src/infra/fs-safe.ts` and regression coverage in `src/infra/archive.test.ts`.
### Fix Commit(s)
- `7dac9b05dd9d38dd3929637f26fa356fd8bdd107`
ZIP extraction in OpenClaw could be raced into writing outside the intended destination directory via parent-directory symlink rebind between validation and write.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Vulnerable versions: `<= 2026.3.1`
- Latest published vulnerable version confirmed: `2026.3.1` (npm as of 2026-03-02)
- Patched version: `2026.3.2` (released)
### Technical Details
In `src/infra/archive.ts`, ZIP extraction previously validated output paths, then later opened/truncated the destination path in a separate step. A local race on parent-directory symlink state could redirect the final write outside the extraction root.
The fix hardens ZIP writes by binding writes to the opened file handle identity and avoiding the pre-write truncate race path, with shared fd realpath verification in `src/infra/fs-safe.ts` and regression coverage in `src/infra/archive.test.ts`.
### Fix Commit(s)
- `7dac9b05dd9d38dd3929637f26fa356fd8bdd107`
ghsa CVSS4.0
8.7
Vulnerability type
CWE-59
Link Following
CWE-367
Published: 3 Mar 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026