Claw Orchestrator
Monthly
Regular expression denial of service in Enderfga claw-orchestrator 3.7.0 and earlier allows authenticated remote attackers to degrade service availability by submitting crafted patterns to the Session Grep Endpoint. The validateRegex function in claw-orchestrator/src/embedded-server.ts passes user-supplied body.pattern directly to the V8 JavaScript regex engine, which uses backtracking and can be forced into exponential-time evaluation via patterns like (a+)+$. No public exploit is identified at time of analysis, and the CVSS score of 4.3 (A:L) reflects limited - but real - availability impact via Node.js event loop exhaustion.
Missing authentication in Enderfga claw-orchestrator's embedded HTTP server (src/embedded-server.ts, EmbeddedServer class) exposes all API endpoints to unauthenticated network access in versions 3.5.5 and earlier, because the OPENCLAW_SERVER_TOKEN authentication mechanism was opt-in rather than enforced by default. Any attacker with network access to the server port can interact with the orchestration management API without credentials. A publicly available proof-of-concept exists (referenced in GitHub issue #61); this vulnerability is not confirmed in CISA KEV at time of analysis, though the CVSS 4.0 E:P exploit maturity modifier confirms public PoC availability.
Regular expression denial of service in Enderfga claw-orchestrator 3.7.0 and earlier allows authenticated remote attackers to degrade service availability by submitting crafted patterns to the Session Grep Endpoint. The validateRegex function in claw-orchestrator/src/embedded-server.ts passes user-supplied body.pattern directly to the V8 JavaScript regex engine, which uses backtracking and can be forced into exponential-time evaluation via patterns like (a+)+$. No public exploit is identified at time of analysis, and the CVSS score of 4.3 (A:L) reflects limited - but real - availability impact via Node.js event loop exhaustion.
Missing authentication in Enderfga claw-orchestrator's embedded HTTP server (src/embedded-server.ts, EmbeddedServer class) exposes all API endpoints to unauthenticated network access in versions 3.5.5 and earlier, because the OPENCLAW_SERVER_TOKEN authentication mechanism was opt-in rather than enforced by default. Any attacker with network access to the server port can interact with the orchestration management API without credentials. A publicly available proof-of-concept exists (referenced in GitHub issue #61); this vulnerability is not confirmed in CISA KEV at time of analysis, though the CVSS 4.0 E:P exploit maturity modifier confirms public PoC availability.