OpenClaw Decompression Bomb Vulnerability Allowing Denial-of-Service
Vulnerability
A denial-of-service vulnerability has been identified in OpenClaw versions prior to 2026.3.31. This issue arises from a decompression bomb vulnerability in the image processing component, which fails to properly enforce pixel-limit restrictions when using the 'sips' image backend. Attackers can exploit this vulnerability by uploading oversized images, leading to excessive memory consumption and causing the application to exhaust available resources.
Impact
Exploitation of this vulnerability leads to a denial-of-service condition, causing excessive memory consumption that can disrupt normal application operations.
Reproduction
The vulnerability can be reproduced by uploading an image that exceeds the pixel limit of 25 million pixels. This can be done through the application's image upload feature, using a file that is intentionally oversized, such as a PNG or JPEG image that has been crafted to include a high pixel count. The issue can also be reproduced by using the 'sips' image processing backend, which does not properly handle the oversized images before they are decoded and processed.
Remediation
Users can update to OpenClaw version 2026.3.31 or later, where this vulnerability has been fixed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.