Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.1
OpenClaw: Malicious Archives Can Write Outside Intended Folder
GHSA-jxrq-8fm4-9p58
Summary
A security issue in OpenClaw's ZIP extraction feature allows an attacker to write files outside the intended destination folder if a malicious archive is used and a symbolic link is present in the destination folder. This could potentially lead to unauthorized data modification. Affected users should update to the latest version of OpenClaw, which has been fixed in version 2026.2.22.
What to do
- Update openclaw to version 2026.2.22.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | <= 2026.2.22 | 2026.2.22 |
Original title
OpenClaw: Zip extraction symlink traversal could write outside destination
Original description
### Summary
A path confinement bypass in OpenClaw ZIP extraction allowed writes outside the intended destination when a pre-existing symlink was present under the extraction root.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published npm version at triage time: `2026.2.21-2`
- Affected versions: `<= 2026.2.21-2`
- Planned patched version for next release: `2026.2.22`
### Technical Details
The vulnerable path was in `src/infra/archive.ts` ZIP extraction logic. Output-path checks were lexical, but writes could still traverse an existing symlink in destination path segments.
The fix blocks this by:
- rejecting symlink traversal in destination path segments,
- validating resolved destination paths remain inside the extraction root,
- using no-follow file opens for ZIP output writes where supported,
- adding a regression test for pre-seeded destination symlink traversal.
### Impact
- Type: Arbitrary file write outside extraction root via symlink traversal during ZIP extraction.
- Preconditions: attacker-controlled archive extraction plus pre-existing symlink in destination path.
### Fix Commit(s)
- 4b226b74f5fd3b106a83a6347fd404172e2fd246
### Release Process Note
Patched version is pre-set to the planned next release (`2026.2.22`).
Once npm release `2026.2.22` is published, the advisory can be published without further field edits.
OpenClaw thanks @tdjackey for reporting.
A path confinement bypass in OpenClaw ZIP extraction allowed writes outside the intended destination when a pre-existing symlink was present under the extraction root.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published npm version at triage time: `2026.2.21-2`
- Affected versions: `<= 2026.2.21-2`
- Planned patched version for next release: `2026.2.22`
### Technical Details
The vulnerable path was in `src/infra/archive.ts` ZIP extraction logic. Output-path checks were lexical, but writes could still traverse an existing symlink in destination path segments.
The fix blocks this by:
- rejecting symlink traversal in destination path segments,
- validating resolved destination paths remain inside the extraction root,
- using no-follow file opens for ZIP output writes where supported,
- adding a regression test for pre-seeded destination symlink traversal.
### Impact
- Type: Arbitrary file write outside extraction root via symlink traversal during ZIP extraction.
- Preconditions: attacker-controlled archive extraction plus pre-existing symlink in destination path.
### Fix Commit(s)
- 4b226b74f5fd3b106a83a6347fd404172e2fd246
### Release Process Note
Patched version is pre-set to the planned next release (`2026.2.22`).
Once npm release `2026.2.22` is published, the advisory can be published without further field edits.
OpenClaw thanks @tdjackey for reporting.
ghsa CVSS4.0
7.1
Vulnerability type
CWE-59
Link Following
Published: 3 Mar 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026