GHSA-r5fq-947m-xm57
HIGHOpenClaw has a path traversal in apply_patch could write/delete files outside the workspace
EPSS Exploitation Probability
EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.
Blast Radius
Weekly download volume for affected packages — a proxy for how broadly this vulnerability is deployed.
openclawnpmDescription
Summary
In affected versions, when apply_patch was enabled and the agent ran without filesystem sandbox containment, crafted paths could cause file writes/deletes outside the configured workspace directory.
Affected Packages / Versions
- Package:
openclaw(npm) - Affected:
<= 2026.2.13 - Fixed:
>= 2026.2.14
Details
The non-sandbox path resolution in apply_patch did not enforce workspace containment. Inputs like ../../... or absolute paths could escape the working directory in non-sandboxed mode.
Impact
Practical impact depends on deployment and who can trigger tool execution. This is most relevant when tool invocation is exposed to less-trusted callers or when operators expected workspace-only containment.
Workarounds
- Keep
tools.exec.applyPatch.enableddisabled if you do not needapply_patch. - Keep
tools.exec.applyPatch.workspaceOnlyat its secure default oftrue. - Restrict who can trigger tool execution (and which tools are allowlisted).
Configuration Note
tools.exec.applyPatch.workspaceOnly: false intentionally opts out of workspace containment and can re-enable outside-workspace writes/deletes.
Fix
- PR: https://github.com/openclaw/openclaw/pull/16405
- Merge commit:
5544646a09c0121fca7d7093812dc2de8437c7f1
Credits
Thanks to @p80n-sec for reporting this issue.
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 📦npm | openclaw | all versions | 2026.2.14 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for openclaw. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update openclaw to 2026.2.14 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-r5fq-947m-xm57 is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-r5fq-947m-xm57 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-r5fq-947m-xm57. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-r5fq-947m-xm57 in your dependencies?
O3 detects GHSA-r5fq-947m-xm57 across npm dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.