CWE-349
AllowedAcceptance of Extraneous Untrusted Data With Trusted Data
Abstraction: Base · Status: Draft
The product, when processing trusted data, accepts any untrusted data that is also included with the trusted data, treating the untrusted data as if it were trusted.
76 vulnerabilities reference this CWE, most recent first.
GHSA-JVHM-GJRH-3H93
Vulnerability from github – Published: 2025-03-19 19:54 – Updated: 2025-03-20 19:31Summary
By sending a crafted HTTP request to a server behind an CDN, it is possible in some circumstances to poison the CDN cache and highly impacts the availability of a site.
It is possible to craft a request, such as https://mysite.com/?/_payload.json which will be rendered as JSON. If the CDN in front of a Nuxt site ignores the query string when determining whether to cache a route, then this JSON response could be served to future visitors to the site.
Impact
An attacker can perform this attack to a vulnerable site in order to make a site unavailable indefinitely. It is also possible in the case where the cache will be reset to make a small script to send a request each X seconds (=caching duration) so that the cache is permanently poisoned making the site completely unavailable.
Conclusion :
This is similar to a vulnerability in Next.js that resulted in CVE-2024-46982 (and see this article, in particular the "Internal URL parameter and pageProps" part, the latter being very similar to the one concerning us here.)
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "nuxt"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "3.16.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-27415"
],
"database_specific": {
"cwe_ids": [
"CWE-349"
],
"github_reviewed": true,
"github_reviewed_at": "2025-03-19T19:54:25Z",
"nvd_published_at": "2025-03-19T19:15:47Z",
"severity": "HIGH"
},
"details": "### Summary\n\nBy sending a crafted HTTP request to a server behind an CDN, it is possible in some circumstances to poison the CDN cache and highly impacts the availability of a site.\n\nIt is possible to craft a request, such as `https://mysite.com/?/_payload.json` which will be rendered as JSON. If the CDN in front of a Nuxt site ignores the query string when determining whether to cache a route, then this JSON response could be served to future visitors to the site.\n\n### Impact\n\nAn attacker can perform this attack to a vulnerable site in order to make a site unavailable indefinitely. It is also possible in the case where the cache will be reset to make a small script to send a request each X seconds (=caching duration) so that the cache is permanently poisoned making the site completely unavailable.\n\n\n## Conclusion : \n\nThis is similar to a vulnerability in Next.js that resulted in CVE-2024-46982 (and see [this article](https://zhero-web-sec.github.io/research-and-things/nextjs-cache-and-chains-the-stale-elixir), in particular the \"Internal URL parameter and pageProps\" part, the latter being very similar to the one concerning us here.)",
"id": "GHSA-jvhm-gjrh-3h93",
"modified": "2025-03-20T19:31:04Z",
"published": "2025-03-19T19:54:25Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-jvhm-gjrh-3h93"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27415"
},
{
"type": "PACKAGE",
"url": "https://github.com/nuxt/nuxt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Nuxt allows DOS via cache poisoning with payload rendering response"
}
GHSA-JWM6-6MGM-W3F5
Vulnerability from github – Published: 2022-05-24 16:58 – Updated: 2024-04-04 02:15A vulnerability exists in the way that iTerm2 integrates with tmux's control mode, which may allow an attacker to execute arbitrary commands by providing malicious output to the terminal. This affects versions of iTerm2 up to and including 3.3.5. This vulnerability may allow an attacker to execute arbitrary commands on their victim's computer by providing malicious output to the terminal. It could be exploited using command-line utilities that print attacker-controlled content.
{
"affected": [],
"aliases": [
"CVE-2019-9535"
],
"database_specific": {
"cwe_ids": [
"CWE-349",
"CWE-74"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-10-09T20:15:00Z",
"severity": "CRITICAL"
},
"details": "A vulnerability exists in the way that iTerm2 integrates with tmux\u0027s control mode, which may allow an attacker to execute arbitrary commands by providing malicious output to the terminal. This affects versions of iTerm2 up to and including 3.3.5. This vulnerability may allow an attacker to execute arbitrary commands on their victim\u0027s computer by providing malicious output to the terminal. It could be exploited using command-line utilities that print attacker-controlled content.",
"id": "GHSA-jwm6-6mgm-w3f5",
"modified": "2024-04-04T02:15:20Z",
"published": "2022-05-24T16:58:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9535"
},
{
"type": "WEB",
"url": "https://blog.mozilla.org/security/2019/10/09/iterm2-critical-issue-moss-audit"
},
{
"type": "WEB",
"url": "https://groups.google.com/forum/#!topic/iterm2-discuss/57k_AuLdQa4"
},
{
"type": "WEB",
"url": "https://groups.google.com/forum/#%21topic/iterm2-discuss/57k_AuLdQa4"
},
{
"type": "WEB",
"url": "https://kb.cert.org/vuls/id/763073"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M3MH-3MPG-37HW
Vulnerability from github – Published: 2026-03-30 18:52 – Updated: 2026-04-10 19:45Fixed in OpenClaw 2026.3.24, the current shipping release.
Summary
During the installation phase of OpenClaw local plugins/hooks, the Git executable can be hijacked by a project-level .npmrc file, leading to arbitrary code execution during installation.
Details
Please note that the source code locations mentioned below are based on version openclaw-2026.3.13-1, but the issue has been confirmed to still exist in the current latest version, 2026.3.23.
When installing a local plugin directory, local plugin archive, local hook pack directory, or local hook pack archive, OpenClaw first copies the source directory to a temporary stageDir, then executes the following in that directory:
npm install --omit=dev --silent --ignore-scripts
See src/infra/install-package-dir.ts:176-199.
Since this process does not strip the project root .npmrc, and npm reads the project-level .npmrc during local project installation, an attacker could use a .npmrc file in a malicious plugin or hook directory to override npm’s git executable path. By leveraging a Git dependency, the attacker could trigger npm to call this malicious program, thereby executing arbitrary local code during the installation phase.
Affected Paths
- Plugin CLI entry point:
src/cli/plugins-cli.ts:199-255 - Hook CLI entry point:
src/cli/hooks-cli.ts:573-676 - Plugin local directory / archive installation:
src/plugins/install.ts:379-405,src/plugins/install.ts:541-565 - Hook local directory / archive installation:
src/hooks/install.ts:380-403,src/hooks/install.ts:443-470 - Actual execution of
npm install --ignore-scripts:src/infra/install-package-dir.ts:176-199
Vulnerability Trigger Flow
-
The user executes one of the following commands:
-
openclaw plugins install <path-or-spec> openclaw hooks install <path-or-spec>- If the argument is a local directory or local archive, OpenClaw navigates to the local installation path.
- OpenClaw copies the source directory to a temporary
stageDir. Seesrc/infra/install-package-dir.ts:176-177. - If
dependenciesare present inpackage.json, OpenClaw executes the following instageDir:
npm install --omit=dev --silent --ignore-scripts
See src/infra/install-package-dir.ts:188-199.
- npm reads the project-level
.npmrcfile in this directory. Official documentation:.npmrc - If
.npmrcis set togit=<path to malicious program>and there is a git dependency in the dependency tree, npm will invoke thatgitprogram when resolving the dependency. Official documentation:npm config gitGit dependency documentation:package.json - Consequently, an attacker can execute arbitrary local programs during the plugin/hook installation phase without waiting for the plugin or hook to be loaded later.
Triggering Commands
- Plugin installation command:
openclaw plugins install <path-or-spec>
- Hook installation command:
openclaw hooks install <path-or-spec>
When <path-or-spec> is a local directory or local archive, it will be resolved to the path used by the npm install --omit=dev --silent --ignore-scripts command mentioned above.
PoC
Currently, testpoc/ is a minimal PoC directory used to verify that “when installing local packages, OpenClaw enters the npm install --ignore-scripts path.” It is divided into two core sections:
testpoc/pkg/
Purpose: Simulates the local package directory installed by openclaw plugins install ... or openclaw hooks install ...
testpoc/repo/
Purpose: Simulates a Git dependency repository within the npm dependency tree
Directory Structure
testpoc/ ├─ pkg/ │ ├─ .npmrc │ ├─ package.json │ └─ sample-hook/ │ ├─ HOOK.md │ └─ handler.js └─ repo/ ├─ package.json └─ .git/... Function of Each Component
testpoc/pkg/.npmrc
Current content: git=calc.exe Function: Overrides npm’s Git executable configuration. Meaning: When npm encounters a git dependency during installation, it will not call the system git but will attempt to call the program specified here. This is the core trigger point of this PoC. See testpoc/pkg/.npmrc:1 testpoc/pkg/package.json
Currently, this is a “mixed-use” manifest that includes both plugin and hook fields: { “name”: “probe-host”, “version”: “1.0.0”, “private”: true, “openclaw”: { “extensions”: [“./dist/index.js”], “hooks”: [“./sample-hook”] }, “dependencies”: { “probe-git-dep”: “git+file:///D:/AI Agent Source/OpenClaw/openclaw-2026.3.13-1/.testpoc/repo” } } Its functionality is divided into three layers: openclaw.extensions: Allows it to be validated as a plugin package openclaw.hooks: Enables it to be validated as a hook package The Git URL in dependencies: Forces npm to enter the Git dependency resolution path during installation See testpoc/pkg/package.json:1 testpoc/pkg/sample-hook/HOOK.md
Purpose: To meet the minimum metadata requirements for a hook package.
This is the key file that allows openclaw hooks install pkg to pass the pre-check. See testpoc/pkg/sample-hook/HOOK.md:1
testpoc/pkg/sample-hook/handler.js
Current content: export default async function handler() { return { ok: true }; } Purpose: Meets the requirement that the hook directory must contain a handler entry file. It is not a usage point in itself; its sole purpose is to allow OpenClaw to proceed to the dependency installation phase. See testpoc/pkg/sample-hook/handler.js:1 testpoc/repo/package.json
Current content: {“name”:“probe-git-dep”,‘version’:“1.0.0”} Purpose: Serves as the minimum repository content corresponding to a Git dependency. The focus is not on the repository code itself, but on the fact that “it is a Git repository,” allowing npm to perform Git-related operations on it. See testpoc/repo/package.json:1 testpoc/repo/.git/
Purpose: Makes testpoc/repo/ a real Git repository rather than a regular directory. When npm resolves git+file://... When installing dependencies, this is treated as the Git source. How the current PoC works
If installing via hooks:
openclaw hooks install testpoc/pkg The trigger chain is:
OpenClaw identifies testpoc/pkg as the local hook package path Through pre-validation in openclaw.hooks, HOOK.md, and handler.js Proceeds to src/infra/install-package-dir.ts:188-199 Executes: npm install --omit=dev --silent --ignore-scripts npm reads testpoc/pkg/.npmrc npm processes the git dependency in package.json npm attempts to call the git=calc.exe specified in .npmrc
Impact
It is best described as an installation-time local command execution / unsafe package-install configuration issue.
More precisely:
OpenClaw installs local plugin and hook packs by running npm install --omit=dev --silent --ignore-scripts inside the staged package directory, see src/infra/install-package-dir.ts:188-199. If that local package directory contains an attacker-controlled .npmrc, npm will still read it. If .npmrc overrides npm’s git executable and the package has a git dependency, npm can invoke the attacker-chosen program during install.
Who is impacted
Users who run:
openclaw plugins install openclaw hooks install
And who install a malicious or untrusted local package that includes:
a controlled .npmrc a git dependency a runnable attacker-controlled git target on that platform
This should be treated as a security issue, not just “malicious plugin behavior,” because the code execution happens during OpenClaw’s install workflow, before the plugin or hook is ever loaded as trusted runtime code.
The important distinction is:
A normal “trusted plugin” case is: the operator installs a plugin, enables it, and later that plugin runs with plugin privileges. This issue is different: OpenClaw’s installer executes npm install --omit=dev --silent --ignore-scripts inside an attacker-controlled package directory, and npm still honors attacker-controlled project config from .npmrc.
That means an untrusted local plugin or hook package can influence the package manager itself and reach arbitrary program execution at install time, via npm’s git setting and a git dependency, even though --ignore-scripts is present.
Why this matters from a security perspective:
It is install-time execution, not post-install trusted execution.
The execution is triggered by OpenClaw’s installer in src/infra/install-package-dir.ts:188-199.
This occurs before the package is accepted as a trusted loaded plugin/hook in the usual sense.
It defeats an expected safety boundary.
The code explicitly uses --ignore-scripts, which strongly suggests an intent to make installation safer.
But the installer still allows attacker-controlled package-manager configuration from .npmrc to affect execution.
So the current mitigation is incomplete in a security-relevant way.
The dangerous input is part of a supported user flow.
OpenClaw explicitly supports installing plugins and hook packs from local directories and archives:
src/cli/plugins-cli.ts:199-255 src/cli/hooks-cli.ts:573-676
That makes “download a package/archive, then install it” a realistic operator action, not an artificial lab setup.
The issue is broader than plugin trust.
The problem is not “plugins can do bad things once trusted.”
The problem is “the installer consumes attacker-controlled package-manager config before trust is established.”
That is much closer to an unsafe install / supply-chain execution flaw than to ordinary trusted-plugin behavior.
Hooks are affected too.
The same installer path is used for hook packs, not only plugins.
So this is a shared install-surface issue, not an isolated plugin-runtime concern.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2025.3.23"
},
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.3.24"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-35641"
],
"database_specific": {
"cwe_ids": [
"CWE-349",
"CWE-426"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-30T18:52:09Z",
"nvd_published_at": "2026-04-10T17:17:04Z",
"severity": "HIGH"
},
"details": "\u003e Fixed in OpenClaw 2026.3.24, the current shipping release.\n\n### Summary\nDuring the installation phase of OpenClaw local plugins/hooks, the Git executable can be hijacked by a project-level .npmrc file, leading to arbitrary code execution during installation.\n\n### Details\nPlease note that the source code locations mentioned below are based on version openclaw-2026.3.13-1, but the issue has been confirmed to still exist in the current latest version, 2026.3.23.\n\nWhen installing a local plugin directory, local plugin archive, local hook pack directory, or local hook pack archive, OpenClaw first copies the source directory to a temporary `stageDir`, then executes the following in that directory:\n\n```\nnpm install --omit=dev --silent --ignore-scripts\n```\n\nSee `src/infra/install-package-dir.ts:176-199`.\n\nSince this process does not strip the project root `.npmrc`, and npm reads the project-level `.npmrc` during local project installation, an attacker could use a `.npmrc` file in a malicious plugin or hook directory to override npm\u2019s `git` executable path. By leveraging a Git dependency, the attacker could trigger npm to call this malicious program, thereby executing arbitrary local code during the installation phase.\n\n**Affected Paths**\n\n- Plugin CLI entry point: `src/cli/plugins-cli.ts:199-255`\n- Hook CLI entry point: `src/cli/hooks-cli.ts:573-676`\n- Plugin local directory / archive installation: `src/plugins/install.ts:379-405`, `src/plugins/install.ts:541-565`\n- Hook local directory / archive installation: `src/hooks/install.ts:380-403`, `src/hooks/install.ts:443-470`\n- Actual execution of `npm install --ignore-scripts`: `src/infra/install-package-dir.ts:176-199`\n\n**Vulnerability Trigger Flow**\n\n1. The user executes one of the following commands:\n\n - `openclaw plugins install \u003cpath-or-spec\u003e`\n - `openclaw hooks install \u003cpath-or-spec\u003e`\n2. If the argument is a local directory or local archive, OpenClaw navigates to the local installation path.\n3. OpenClaw copies the source directory to a temporary `stageDir`. See `src/infra/install-package-dir.ts:176-177`.\n4. If `dependencies` are present in `package.json`, OpenClaw executes the following in `stageDir`:\n\n```\nnpm install --omit=dev --silent --ignore-scripts\n```\n\nSee `src/infra/install-package-dir.ts:188-199`.\n\n5. npm reads the project-level `.npmrc` file in this directory. Official documentation: [`.npmrc`](https://docs.npmjs.com/cli/v11/configuring-npm/npmrc/)\n6. If `.npmrc` is set to `git=\u003cpath to malicious program\u003e` and there is a git dependency in the dependency tree, npm will invoke that `git` program when resolving the dependency. Official documentation: [`npm config git`](https://docs.npmjs.com/cli/v11/using-npm/config/) Git dependency documentation: [`package.json`](https://docs.npmjs.com/cli/v11/configuring-npm/package-json/)\n7. Consequently, an attacker can execute arbitrary local programs during the plugin/hook installation phase without waiting for the plugin or hook to be loaded later.\n\n**Triggering Commands**\n\n- Plugin installation command:\n\n```\nopenclaw plugins install \u003cpath-or-spec\u003e\n```\n\n- Hook installation command:\n\n```\nopenclaw hooks install \u003cpath-or-spec\u003e\n```\n\nWhen `\u003cpath-or-spec\u003e` is a local directory or local archive, it will be resolved to the path used by the `npm install --omit=dev --silent --ignore-scripts` command mentioned above.\n\n### PoC\n\n\n\nCurrently, `testpoc/` is a minimal PoC directory used to verify that \u201cwhen installing local packages, OpenClaw enters the `npm install --ignore-scripts` path.\u201d It is divided into two core sections:\n\ntestpoc/pkg/\nPurpose: Simulates the local package directory installed by `openclaw plugins install ...` or `openclaw hooks install ...`\ntestpoc/repo/\nPurpose: Simulates a Git dependency repository within the npm dependency tree\nDirectory Structure\n\ntestpoc/\n\u251c\u2500 pkg/\n\u2502 \u251c\u2500 .npmrc\n\u2502 \u251c\u2500 package.json\n\u2502 \u2514\u2500 sample-hook/\n\u2502 \u251c\u2500 HOOK.md\n\u2502 \u2514\u2500 handler.js\n\u2514\u2500 repo/\n \u251c\u2500 package.json\n \u2514\u2500 .git/...\nFunction of Each Component\n\ntestpoc/pkg/.npmrc\n\nCurrent content:\ngit=calc.exe\nFunction: Overrides npm\u2019s Git executable configuration.\nMeaning: When npm encounters a git dependency during installation, it will not call the system git but will attempt to call the program specified here.\nThis is the core trigger point of this PoC. See testpoc/pkg/.npmrc:1\ntestpoc/pkg/package.json\n\nCurrently, this is a \u201cmixed-use\u201d manifest that includes both plugin and hook fields:\n{\n \u201cname\u201d: \u201cprobe-host\u201d,\n \u201cversion\u201d: \u201c1.0.0\u201d,\n \u201cprivate\u201d: true,\n \u201copenclaw\u201d: {\n \u201cextensions\u201d: [\u201c./dist/index.js\u201d],\n \u201chooks\u201d: [\u201c./sample-hook\u201d]\n },\n \u201cdependencies\u201d: {\n \u201cprobe-git-dep\u201d: \u201cgit+file:///D:/AI Agent Source/OpenClaw/openclaw-2026.3.13-1/.testpoc/repo\u201d\n }\n}\nIts functionality is divided into three layers:\nopenclaw.extensions: Allows it to be validated as a plugin package\nopenclaw.hooks: Enables it to be validated as a hook package\nThe Git URL in dependencies: Forces npm to enter the Git dependency resolution path during installation\nSee testpoc/pkg/package.json:1\ntestpoc/pkg/sample-hook/HOOK.md\n\nPurpose: To meet the minimum metadata requirements for a hook package.\nThis is the key file that allows `openclaw hooks install pkg` to pass the pre-check. See testpoc/pkg/sample-hook/HOOK.md:1\ntestpoc/pkg/sample-hook/handler.js\n\nCurrent content:\nexport default async function handler() {\n return { ok: true };\n}\nPurpose: Meets the requirement that the hook directory must contain a handler entry file.\nIt is not a usage point in itself; its sole purpose is to allow OpenClaw to proceed to the dependency installation phase. See testpoc/pkg/sample-hook/handler.js:1\ntestpoc/repo/package.json\n\nCurrent content:\n{\u201cname\u201d:\u201cprobe-git-dep\u201d,\u2018version\u2019:\u201c1.0.0\u201d}\nPurpose: Serves as the minimum repository content corresponding to a Git dependency.\nThe focus is not on the repository code itself, but on the fact that \u201cit is a Git repository,\u201d allowing npm to perform Git-related operations on it. See testpoc/repo/package.json:1\ntestpoc/repo/.git/\n\nPurpose: Makes testpoc/repo/ a real Git repository rather than a regular directory.\nWhen npm resolves git+file://... When installing dependencies, this is treated as the Git source.\nHow the current PoC works\n\nIf installing via hooks:\n\nopenclaw hooks install testpoc/pkg\nThe trigger chain is:\n\nOpenClaw identifies testpoc/pkg as the local hook package path\nThrough pre-validation in openclaw.hooks, HOOK.md, and handler.js\nProceeds to src/infra/install-package-dir.ts:188-199\nExecutes:\nnpm install --omit=dev --silent --ignore-scripts\nnpm reads testpoc/pkg/.npmrc\nnpm processes the git dependency in package.json\nnpm attempts to call the git=calc.exe specified in .npmrc\n\n### Impact\nIt is best described as an installation-time local command execution / unsafe package-install configuration issue.\n\nMore precisely:\n\nOpenClaw installs local plugin and hook packs by running npm install --omit=dev --silent --ignore-scripts inside the staged package directory, see src/infra/install-package-dir.ts:188-199.\nIf that local package directory contains an attacker-controlled .npmrc, npm will still read it.\nIf .npmrc overrides npm\u2019s git executable and the package has a git dependency, npm can invoke the attacker-chosen program during install.\n\nWho is impacted\n\nUsers who run:\n\nopenclaw plugins install \u003clocal path/archive\u003e\nopenclaw hooks install \u003clocal path/archive\u003e\n\nAnd who install a malicious or untrusted local package that includes:\n\na controlled .npmrc\na git dependency\na runnable attacker-controlled git target on that platform\n\nThis should be treated as a security issue, not just \u201cmalicious plugin behavior,\u201d because the code execution happens during OpenClaw\u2019s install workflow, before the plugin or hook is ever loaded as trusted runtime code.\n\nThe important distinction is:\n\nA normal \u201ctrusted plugin\u201d case is: the operator installs a plugin, enables it, and later that plugin runs with plugin privileges.\nThis issue is different: OpenClaw\u2019s installer executes npm install --omit=dev --silent --ignore-scripts inside an attacker-controlled package directory, and npm still honors attacker-controlled project config from .npmrc.\n\nThat means an untrusted local plugin or hook package can influence the package manager itself and reach arbitrary program execution at install time, via npm\u2019s git setting and a git dependency, even though --ignore-scripts is present.\n\nWhy this matters from a security perspective:\n\nIt is install-time execution, not post-install trusted execution.\n\nThe execution is triggered by OpenClaw\u2019s installer in src/infra/install-package-dir.ts:188-199.\n\nThis occurs before the package is accepted as a trusted loaded plugin/hook in the usual sense.\n\nIt defeats an expected safety boundary.\n\nThe code explicitly uses --ignore-scripts, which strongly suggests an intent to make installation safer.\n\nBut the installer still allows attacker-controlled package-manager configuration from .npmrc to affect execution.\n\nSo the current mitigation is incomplete in a security-relevant way.\n\nThe dangerous input is part of a supported user flow.\n\nOpenClaw explicitly supports installing plugins and hook packs from local directories and archives:\n\nsrc/cli/plugins-cli.ts:199-255\nsrc/cli/hooks-cli.ts:573-676\n\nThat makes \u201cdownload a package/archive, then install it\u201d a realistic operator action, not an artificial lab setup.\n\nThe issue is broader than plugin trust.\n\nThe problem is not \u201cplugins can do bad things once trusted.\u201d\n\nThe problem is \u201cthe installer consumes attacker-controlled package-manager config before trust is established.\u201d\n\nThat is much closer to an unsafe install / supply-chain execution flaw than to ordinary trusted-plugin behavior.\n\nHooks are affected too.\n\nThe same installer path is used for hook packs, not only plugins.\n\nSo this is a shared install-surface issue, not an isolated plugin-runtime concern.",
"id": "GHSA-m3mh-3mpg-37hw",
"modified": "2026-04-10T19:45:21Z",
"published": "2026-03-30T18:52:09Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-m3mh-3mpg-37hw"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35641"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-arbitrary-code-execution-via-npmrc-in-local-plugin-hook-installation"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw has an Arbitrary Malicious Code Execution Vulnerability"
}
GHSA-MC43-3P9F-8C28
Vulnerability from github – Published: 2026-06-25 15:31 – Updated: 2026-06-25 15:31A malicious authoritative server can send a crafted zone via the ZoneToCache function that leads to cache poisoning.
{
"affected": [],
"aliases": [
"CVE-2026-33612"
],
"database_specific": {
"cwe_ids": [
"CWE-349"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-25T13:16:38Z",
"severity": "HIGH"
},
"details": "A malicious authoritative server can send a crafted zone via the ZoneToCache function that leads to cache poisoning.",
"id": "GHSA-mc43-3p9f-8c28",
"modified": "2026-06-25T15:31:59Z",
"published": "2026-06-25T15:31:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33612"
},
{
"type": "WEB",
"url": "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-powerdns-2026-08.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-P2WF-95F3-Q546
Vulnerability from github – Published: 2023-12-21 12:30 – Updated: 2023-12-21 12:30In JetBrains IntelliJ IDEA before 2023.3.2 code execution was possible in Untrusted Project mode via a malicious plugin repository specified in the project configuration
{
"affected": [],
"aliases": [
"CVE-2023-51655"
],
"database_specific": {
"cwe_ids": [
"CWE-345",
"CWE-349"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-21T10:15:36Z",
"severity": "MODERATE"
},
"details": "In JetBrains IntelliJ IDEA before 2023.3.2 code execution was possible in Untrusted Project mode via a malicious plugin repository specified in the project configuration",
"id": "GHSA-p2wf-95f3-q546",
"modified": "2023-12-21T12:30:28Z",
"published": "2023-12-21T12:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51655"
},
{
"type": "WEB",
"url": "https://www.jetbrains.com/privacy-security/issues-fixed"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-Q677-7PJP-5HQ5
Vulnerability from github – Published: 2024-08-20 18:31 – Updated: 2024-11-18 16:27The pagination class includes arbitrary parameters in links, leading to cache poisoning attack vectors.
{
"affected": [],
"aliases": [
"CVE-2024-27185"
],
"database_specific": {
"cwe_ids": [
"CWE-349",
"CWE-444"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-20T16:15:10Z",
"severity": "MODERATE"
},
"details": "The pagination class includes arbitrary parameters in links, leading to cache poisoning attack vectors.",
"id": "GHSA-q677-7pjp-5hq5",
"modified": "2024-11-18T16:27:06Z",
"published": "2024-08-20T18:31:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27185"
},
{
"type": "WEB",
"url": "https://developer.joomla.org/security-centre/942-20240802-core-cache-poisoning-in-pagination.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:A/V:X/RE:X/U:Clear",
"type": "CVSS_V4"
}
]
}
GHSA-Q6MV-284R-MP36
Vulnerability from github – Published: 2024-12-02 17:29 – Updated: 2024-12-02 17:29Impact
The default cache strategy uses the basename of a remote schema as the name of the file in the cache, e.g. https://example.org/schema.json will be stored as schema.json. This naming allows for conflicts. If an attacker can get a user to run check-jsonschema against a malicious schema URL, e.g., https://example.evil.org/schema.json, they can insert their own schema into the cache and it will be picked up and used instead of the appropriate schema.
Such a cache confusion attack could be used to allow data to pass validation which should have been rejected.
Patches
A patch is in progress but has not yet been released.
Workarounds
- Users can use
--no-cacheto disable caching. - Users can use
--cache-filenameto select filenames for use in the cache, or to ensure that other usages do not overwrite the cached schema. (Note: this flag is being deprecated as part of the remediation effort.) - Users can explicitly download the schema before use as a local file, as in
curl -LOs https://example.org/schema.json; check-jsonschema --schemafile ./schema.json
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "check-jsonschema"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.30.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-53848"
],
"database_specific": {
"cwe_ids": [
"CWE-349"
],
"github_reviewed": true,
"github_reviewed_at": "2024-12-02T17:29:05Z",
"nvd_published_at": "2024-11-29T19:15:09Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nThe default cache strategy uses the basename of a remote schema as the name of the file in the cache, e.g. `https://example.org/schema.json` will be stored as `schema.json`. This naming allows for conflicts. If an attacker can get a user to run `check-jsonschema` against a malicious schema URL, e.g., `https://example.evil.org/schema.json`, they can insert their own schema into the cache and it will be picked up and used instead of the appropriate schema.\n\nSuch a cache confusion attack could be used to allow data to pass validation which should have been rejected.\n\n### Patches\n\nA patch is in progress but has not yet been released.\n\n### Workarounds\n\n- Users can use `--no-cache` to disable caching.\n- Users can use `--cache-filename` to select filenames for use in the cache, or to ensure that other usages do not overwrite the cached schema. (Note: this flag is being deprecated as part of the remediation effort.)\n- Users can explicitly download the schema before use as a local file, as in `curl -LOs https://example.org/schema.json; check-jsonschema --schemafile ./schema.json`",
"id": "GHSA-q6mv-284r-mp36",
"modified": "2024-12-02T17:29:05Z",
"published": "2024-12-02T17:29:05Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/python-jsonschema/check-jsonschema/security/advisories/GHSA-q6mv-284r-mp36"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53848"
},
{
"type": "WEB",
"url": "https://github.com/python-jsonschema/check-jsonschema/commit/c52714b85e6725b1b24516fbdedacb333b939152"
},
{
"type": "PACKAGE",
"url": "https://github.com/python-jsonschema/check-jsonschema"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N",
"type": "CVSS_V4"
}
],
"summary": "check-jsonschema default caching for remote schemas allows for cache confusion"
}
GHSA-Q7Q2-QF2Q-RW3W
Vulnerability from github – Published: 2022-05-17 03:07 – Updated: 2024-11-18 16:26Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly include the (1) Vary: Cookie or (2) Cache-Control header in responses, which allows remote attackers to obtain sensitive information or poison the cache via a request from certain browsers.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "Django"
},
"ranges": [
{
"events": [
{
"introduced": "1.4"
},
{
"fixed": "1.4.13"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "Django"
},
"ranges": [
{
"events": [
{
"introduced": "1.5"
},
{
"fixed": "1.5.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "Django"
},
"ranges": [
{
"events": [
{
"introduced": "1.6"
},
{
"fixed": "1.6.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "Django"
},
"ranges": [
{
"events": [
{
"introduced": "1.7a1"
},
{
"fixed": "1.7b4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2014-1418"
],
"database_specific": {
"cwe_ids": [
"CWE-349"
],
"github_reviewed": true,
"github_reviewed_at": "2023-08-16T22:54:50Z",
"nvd_published_at": "2014-05-16T15:55:00Z",
"severity": "CRITICAL"
},
"details": "Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly include the (1) Vary: Cookie or (2) Cache-Control header in responses, which allows remote attackers to obtain sensitive information or poison the cache via a request from certain browsers.",
"id": "GHSA-q7q2-qf2q-rw3w",
"modified": "2024-11-18T16:26:23Z",
"published": "2022-05-17T03:07:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-1418"
},
{
"type": "WEB",
"url": "https://github.com/django/django/commit/1abcf3a808b35abae5d425ed4d44cb6e886dc769"
},
{
"type": "WEB",
"url": "https://github.com/django/django/commit/28e23306aa53bbbb8fb87db85f99d970b051026c"
},
{
"type": "WEB",
"url": "https://github.com/django/django/commit/4001ec8698f577b973c5a540801d8a0bbea1205b"
},
{
"type": "PACKAGE",
"url": "https://github.com/django/django"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2014-19.yaml"
},
{
"type": "WEB",
"url": "https://www.djangoproject.com/weblog/2014/may/14/security-releases-issued"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html"
},
{
"type": "WEB",
"url": "http://ubuntu.com/usn/usn-2212-1"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2014/dsa-2934"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2014/05/14/10"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2014/05/15/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Django Vulnerable to Cache Poisoning"
}
GHSA-RG7M-23R6-4M52
Vulnerability from github – Published: 2024-11-15 18:30 – Updated: 2024-11-15 18:30In JetBrains WebStorm before 2024.3 code execution in Untrusted Project mode was possible via type definitions installer script
{
"affected": [],
"aliases": [
"CVE-2024-52555"
],
"database_specific": {
"cwe_ids": [
"CWE-349"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-15T16:15:38Z",
"severity": "MODERATE"
},
"details": "In JetBrains WebStorm before 2024.3 code execution in Untrusted Project mode was possible via type definitions installer script",
"id": "GHSA-rg7m-23r6-4m52",
"modified": "2024-11-15T18:30:51Z",
"published": "2024-11-15T18:30:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52555"
},
{
"type": "WEB",
"url": "https://www.jetbrains.com/privacy-security/issues-fixed"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RM2J-X595-Q9CJ
Vulnerability from github – Published: 2022-05-14 03:49 – Updated: 2024-09-16 22:35Django before 1.2.7 and 1.3.x before 1.3.1 uses a request's HTTP Host header to construct a full URL in certain circumstances, which allows remote attackers to conduct cache poisoning attacks via a crafted request.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "Django"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.2.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "Django"
},
"ranges": [
{
"events": [
{
"introduced": "1.3"
},
{
"fixed": "1.3.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2011-4139"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-349"
],
"github_reviewed": true,
"github_reviewed_at": "2024-01-16T22:47:59Z",
"nvd_published_at": "2011-10-19T10:55:00Z",
"severity": "HIGH"
},
"details": "Django before 1.2.7 and 1.3.x before 1.3.1 uses a request\u0027s HTTP Host header to construct a full URL in certain circumstances, which allows remote attackers to conduct cache poisoning attacks via a crafted request.",
"id": "GHSA-rm2j-x595-q9cj",
"modified": "2024-09-16T22:35:46Z",
"published": "2022-05-14T03:49:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2011-4139"
},
{
"type": "WEB",
"url": "https://github.com/django/django/commit/2f7fadc38efa58ac0a8f93f936b82332a199f396"
},
{
"type": "WEB",
"url": "https://github.com/django/django/commit/c613af4d6485586c79d692b70a9acac429f3ca9d"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=737366"
},
{
"type": "PACKAGE",
"url": "https://github.com/django/django"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2011-4.yaml"
},
{
"type": "WEB",
"url": "https://hermes.opensuse.org/messages/14700881"
},
{
"type": "WEB",
"url": "https://www.djangoproject.com/weblog/2011/sep/09"
},
{
"type": "WEB",
"url": "https://www.djangoproject.com/weblog/2011/sep/10/127"
},
{
"type": "WEB",
"url": "http://openwall.com/lists/oss-security/2011/09/11/1"
},
{
"type": "WEB",
"url": "http://openwall.com/lists/oss-security/2011/09/13/2"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2011/dsa-2332"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Django Vulnerable to Cache Poisoning"
}
No mitigation information available for this CWE.
CAPEC-141: Cache Poisoning
An attacker exploits the functionality of cache technologies to cause specific data to be cached that aids the attackers' objectives. This describes any attack whereby an attacker places incorrect or harmful material in cache. The targeted cache can be an application's cache (e.g. a web browser cache) or a public cache (e.g. a DNS or ARP cache). Until the cache is refreshed, most applications or clients will treat the corrupted cache value as valid. This can lead to a wide range of exploits including redirecting web browsers towards sites that install malware and repeatedly incorrect calculations based on the incorrect value.
CAPEC-142: DNS Cache Poisoning
A domain name server translates a domain name (such as www.example.com) into an IP address that Internet hosts use to contact Internet resources. An adversary modifies a public DNS cache to cause certain names to resolve to incorrect addresses that the adversary specifies. The result is that client applications that rely upon the targeted cache for domain name resolution will be directed not to the actual address of the specified domain name but to some other address. Adversaries can use this to herd clients to sites that install malware on the victim's computer or to masquerade as part of a Pharming attack.
CAPEC-75: Manipulating Writeable Configuration Files
Generally these are manually edited files that are not in the preview of the system administrators, any ability on the attackers' behalf to modify these files, for example in a CVS repository, gives unauthorized access directly to the application, the same as authorized users.