GHSA-65h8-27jh-q8wv

Details

Summary

Nostr inbound DM handling could perform crypto and dispatch work before sender and pairing policy enforcement, enabling unauthorized pre-auth computation.

Affected Packages / Versions

Package: openclaw (npm)
Affected: < 2026.3.22
Fixed: >= 2026.3.22
Latest released tag checked: v2026.3.23-2 (630f1479c44f78484dfa21bb407cbe6f171dac87)
Latest published npm version checked: 2026.3.23-2

Fix Commit(s)

1ee9611079e81b9122f4bed01abb3d9f56206c77

Release Status

The fix shipped in v2026.3.22 and remains present in v2026.3.23 and v2026.3.23-2.

Code-Level Confirmation

extensions/nostr/src/channel.ts now performs authorization before decrypting and dispatching inbound DM content.
extensions/nostr/src/nostr-bus.ts adds pre-crypto authorization, size, and rate guardrails before expensive decrypt work.

OpenClaw thanks @kuranikaran for reporting.

Affected Packages

openclaw

npm

Fixed in:

2026.3.22

References

ADVISORY

https://github.com/advisories/GHSA-65h8-27jh-q8wv

PACKAGE

https://github.com/openclaw/openclaw

WEB

https://github.com/openclaw/openclaw/commit/1ee9611079e81b9122f4bed01abb3d9f56206c77

WEB

https://github.com/openclaw/openclaw/security/advisories/GHSA-65h8-27jh-q8wv