← Back to Vulnerability Database
GHSA-c6hr-w26q-c636
LOWCVSS 2.5Published: Mar 2, 2026Verified by: gemini-3.1-flash-lite-preview
Description
OpenClaw has ReDoS and regex injection via unescaped Feishu mention metadata in RegExp construction
How AI Introduced This
The application dynamically constructs a RegExp using unescaped user-provided mention metadata (keys and names), allowing attackers to inject regex metacharacters that cause catastrophic backtracking or unintended regex behavior.
Causality Analysis
✓
CONFIRMED — 2267d58afcc7
- Vulnerability
- ReDoS and Regex Injection
- Root Cause
- The application dynamically constructs a RegExp using unescaped user-provided mention metadata (keys and names), allowing attackers to inject regex metacharacters that cause catastrophic backtracking or unintended regex behavior.
- Pattern
new RegExp(mention.name) or new RegExp(mention.key) using unsanitized input from Feishu message metadata- Causal Chain
- The commit created the `stripBotMention` function, which directly passed user-controlled metadata fields into the `RegExp` constructor without escaping, enabling regex injection and ReDoS.
- Reasoning
- The blamed commit introduced the `bot.ts` file, which contained the initial implementation of `stripBotMention` using `new RegExp()` with unsanitized `mention.name` and `mention.key` inputs. This established the vulnerable pattern that was later identified and patched in the fix commit.
Verified by gemini-3.1-flash-lite-preview
AI Signal Details
AI Signals in 2267d58
Claude CodeCo-author trailer
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>95%Bug-Introducing Commits(1)
2267d58AI
feat(feishu): replace built-in SDK with community plugin
Yifeng WangFeb 5, 2026extensions/feishu/src/bot.tsBlame: 90%