OpenClaw Denial-of-Service Vulnerability via Resource-Intensive Archive Extraction

A denial-of-service vulnerability has been identified in OpenClaw versions prior to 2026.2.14. The issue resides in the extractArchive function within src/infra/archive.ts. This vulnerability allows remote attackers to cause excessive consumption of CPU, memory, and disk resources by exploiting high-expansion ZIP and TAR archives. During installation or update operations, the maliciously crafted archive files can lead to significant resource exhaustion, causing degradation of service or complete system unavailability.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition, causing service degradation or system unavailability.

Reproduction

The vulnerability can be reproduced by using OpenClaw versions prior to 2026.2.14 and providing ZIP or TAR archives that are crafted to expand significantly when extracted. This can be done by creating an archive that contains a large number of files or very large files, which exceeds the application's handling capacity. Once such an archive is prepared, it can be uploaded during an install or update operation, triggering the resource exhaustion issue.

Remediation

Users can upgrade to OpenClaw version 2026.2.14 or later, where this vulnerability has been patched.