GHSA-w7j5-j98m-w679
OpenClaw has multiple E2E/test Dockerfiles that run all processes as root
Blast Radius
Weekly download volume for affected packages — a proxy for how broadly this vulnerability is deployed.
openclawnpmDescription
Three Dockerfiles in scripts/docker/ and scripts/e2e/ lack a USER directive, meaning all processes run as uid 0 (root). If any process is compromised, the attacker has root inside the container, making container breakout significantly easier. Partial fix (2026-02-08): Commit 28e1a65e added USER sandbox to Dockerfile.sandbox and Dockerfile.sandbox-browser. The E2E/test Dockerfiles listed below remain unpatched.
Affected components:
- scripts/e2e/Dockerfile
- scripts/e2e/Dockerfile.qr-import
- scripts/docker/install-sh-e2e/Dockerfile
- scripts/docker/install-sh-nonroot/Dockerfile (runs as app but with NOPASSWD sudo — see related advisory)
Technical Reproduction:
- Open each Dockerfile listed above and search for a USER directive — none found.
- Run any of these containers: docker run --rm -it <image> id
- Observe: returns uid=0(root).
Demonstrated Impact:
- Root inside the container enables kernel exploit attempts, volume mount abuse, and privileged syscall access.
- Test images share the same base (node:22-bookworm) as production, creating risk of accidental deployment of root-running images.
Environment: Base images node:22-bookworm and node:22-bookworm-slim default to root. Dockerfile.sandbox and Dockerfile.sandbox-browser were remediated in commit 28e1a65e; only the E2E/test images listed above remain affected.
Remediation: Add a USER directive before CMD/ENTRYPOINT in each remaining Dockerfile: RUN useradd --create-home --shell /bin/bash appuser USER appuser
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 📦npm | openclaw | all versions | 2026.2.21 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for openclaw. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update openclaw to 2026.2.21 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-w7j5-j98m-w679 is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-w7j5-j98m-w679 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-w7j5-j98m-w679. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-w7j5-j98m-w679 in your dependencies?
O3 detects GHSA-w7j5-j98m-w679 across npm dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.