GHSA-c6hr-w26q-c636: OpenClaw has ReDoS and regex injection via unescaped Feishu mention metadata in RegExp construction

March 2, 2026

extensions/feishu/src/bot.ts constructed new RegExp() directly from Feishu mention metadata (mention.name, mention.key) in stripBotMention() without escaping regex metacharacters.

References

github.com/advisories/GHSA-c6hr-w26q-c636
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/74268489137510b6f6349919d1e197b17290d92c
github.com/openclaw/openclaw/commit/7e67ab75cc2f0e93569d12fecd1411c2961fcc8c
github.com/openclaw/openclaw/security/advisories/GHSA-c6hr-w26q-c636

Code Behaviors & Features

Detect and mitigate GHSA-c6hr-w26q-c636 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →