![[openclaw] OpenClaw has a Web Fetch DoS via unbounded response parsing](/assets/images/github_com_1771583675881.png)
Security Advisories์ถ์ฒ: GitHub Security Advisories์กฐํ์ 8
[openclaw] OpenClaw has a Web Fetch DoS via unbounded response parsing
By GitHub2026๋
2์ 20์ผ
**[openclaw] OpenClaw has a Web Fetch DoS via unbounded response parsing**
Summary The web_fetch tool could be used to crash the OpenClaw Gateway process (OOM / resource exhaustion) by fetching and attempting to parse attacker-controlled web pages with oversized response bodies or pathological HTML nesting. Affected Packages / Versions Package: openclaw (npm) Affected versions: <= 2026.2.14 Fixed versions: >= 2026.2.15 Impact An attacker can social-engineer a user (or any automation that uses web_fetch) into fetching a malicious URL that returns extremely large or deeply nested HTML. The Gateway may exhaust memory or become unresponsive, causing a denial of service. Fix The Gateway now caps the downloaded response body size before any HTML parsing and adds additional guards to avoid running Readability/DOM parsing on pathological HTML. Fix Commit(s) 166cf6a3e04c7df42bea70a7ad5ce2b9df46d147 Release Process Note This advisory is prepared for the next npm release...
---
**[devsupporter ํด์ค]**
์ด ๊ธฐ์ฌ๋ GitHub Security Advisories์์ ์ ๊ณตํ๋ ์ต์ ๊ฐ๋ฐ ๋ํฅ์ ๋๋ค. ๊ด๋ จ ๋๊ตฌ๋ ๊ธฐ์ ์ ๋ํด ๋ ์์๋ณด์๋ ค๋ฉด ์๋ณธ ๋งํฌ๋ฅผ ์ฐธ๊ณ ํ์ธ์.
Summary The web_fetch tool could be used to crash the OpenClaw Gateway process (OOM / resource exhaustion) by fetching and attempting to parse attacker-controlled web pages with oversized response bodies or pathological HTML nesting. Affected Packages / Versions Package: openclaw (npm) Affected versions: <= 2026.2.14 Fixed versions: >= 2026.2.15 Impact An attacker can social-engineer a user (or any automation that uses web_fetch) into fetching a malicious URL that returns extremely large or deeply nested HTML. The Gateway may exhaust memory or become unresponsive, causing a denial of service. Fix The Gateway now caps the downloaded response body size before any HTML parsing and adds additional guards to avoid running Readability/DOM parsing on pathological HTML. Fix Commit(s) 166cf6a3e04c7df42bea70a7ad5ce2b9df46d147 Release Process Note This advisory is prepared for the next npm release...
---
**[devsupporter ํด์ค]**
์ด ๊ธฐ์ฌ๋ GitHub Security Advisories์์ ์ ๊ณตํ๋ ์ต์ ๊ฐ๋ฐ ๋ํฅ์ ๋๋ค. ๊ด๋ จ ๋๊ตฌ๋ ๊ธฐ์ ์ ๋ํด ๋ ์์๋ณด์๋ ค๋ฉด ์๋ณธ ๋งํฌ๋ฅผ ์ฐธ๊ณ ํ์ธ์.