OpenClaw/Clawdbot, Resource Exhaustion, CVE-2026-XXXXX (Medium)

Listen to this Post

The vulnerability resides in the `extractArchive` function within src/infra/archive.ts. Prior to implementing strict resource budgets, the archive extraction process lacked limits on the number of files or the total decompressed size it would handle . This allowed a specially crafted, high-compression ZIP or TAR archive—often referred to as a “zip bomb”—to be processed during automated install or update flows. When the application attempted to extract such an archive, it would trigger massive disk, memory, and CPU usage as the archive expanded exponentially . The extractor did not check the compression ratio or set a maximum threshold for the final extracted data volume. An attacker could exploit this by causing the system to exhaust its available resources, leading to a complete denial of service for the application or the host system. The fix introduces resource budgets by enforcing limits on the total entry count and total extracted bytes, and for ZIP files, a limit on the compressed archive size itself, rejecting any archive that exceeds these pre-defined budgets.
Platform: NPM
Version: <=2026.2.13
Vulnerability: Resource Exhaustion
Severity: Medium
Date: 18 Feb 2026

Prediction: 20 Feb 2026

What Undercode Say:

Analytics

The issue is triggered during archive extraction in install/update flows. A malicious package with a high compression ratio can cause a DoS.

Example to check compression ratio of a suspicious zip file
unzip -l malicious.zip
Compare total uncompressed size to the actual file size (ls -lh malicious.zip)
A ratio > 100:1 is highly suspicious.

Exploit:

An attacker crafts a malicious package with a “zip bomb” and hosts it on a public registry or tricks a user into installing it.

Conceptual example of a zip bomb structure
import zipfile
with zipfile.ZipFile('payload.zip', 'w') as zf:
Write a highly compressible file (e.g., 1GB of zeros) that compresses to a few MB
zf.writestr('largefile.bin', b'\x00' 1024 1024 1024, compress_type=zipfile.ZIP_DEFLATED)

Protection from this CVE:

Update to the patched version once released by the vendor. The fix enforces resource budgets in the `extractArchive` function.

Update the package to a secure version (once available)
npm install openclaw@latest
npm install clawdbot@latest

Impact:

Successful exploitation leads to excessive consumption of CPU, memory, and disk space during extraction. This results in a denial of service, making the application or system unresponsive.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top