GHSA-7xhj-55q9-pc3m: OpenClaw's hook transform module path allows traversal and arbitrary JavaScript module loading

March 3, 2026

OpenClaw hook mapping transforms could be loaded via absolute paths or .. traversal, allowing arbitrary JavaScript module loading/execution in the gateway process when an attacker can modify hooks configuration.

References

github.com/advisories/GHSA-7xhj-55q9-pc3m
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/18e8bd68c5015a894f999c6d5e6e32468965bfb5
github.com/openclaw/openclaw/commit/a0361b8ba959e8506dc79d638b6e6a00d12887e4
github.com/openclaw/openclaw/security/advisories/GHSA-7xhj-55q9-pc3m

Code Behaviors & Features

Detect and mitigate GHSA-7xhj-55q9-pc3m with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →