CVE-2026-22178: OpenClaw has ReDoS and regex injection via unescaped Feishu mention metadata in RegExp construction
(updated )
extensions/feishu/src/bot.ts constructed new RegExp() directly from Feishu mention metadata (mention.name, mention.key) in stripBotMention() without escaping regex metacharacters.
References
- github.com/advisories/GHSA-c6hr-w26q-c636
- github.com/openclaw/openclaw
- github.com/openclaw/openclaw/commit/74268489137510b6f6349919d1e197b17290d92c
- github.com/openclaw/openclaw/commit/7e67ab75cc2f0e93569d12fecd1411c2961fcc8c
- github.com/openclaw/openclaw/security/advisories/GHSA-c6hr-w26q-c636
- nvd.nist.gov/vuln/detail/CVE-2026-22178
- www.vulncheck.com/advisories/openclaw-redos-and-regex-injection-via-unescaped-feishu-mention-metadata
Code Behaviors & Features
Detect and mitigate CVE-2026-22178 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →