OpenClaw affected by denial of service through unguarded archive extraction allowing high expansion/resource abuse (ZIP/TAR)
Description
Published to the GitHub Advisory Database
Feb 18, 2026
Reviewed
Feb 18, 2026
Published by the National Vulnerability Database
Mar 5, 2026
Last updated
Mar 6, 2026
Summary
Archive extraction lacked strict resource budgets, allowing high-expansion ZIP/TAR archives to consume excessive CPU/memory/disk during install/update flows.
Affected Packages / Versions
Details
Affected component:
src/infra/archive.ts(extractArchive).The extractor now enforces resource budgets (entry count and extracted byte limits; ZIP also enforces a compressed archive size limit) and rejects over-budget archives.
Fix Commit(s)
Release Process Note
This advisory will be updated with patched versions once the next npm release containing the fix is published.
Credits
Thanks @vincentkoc for reporting.
References