CWE-1254
AllowedIncorrect Comparison Logic Granularity
Abstraction: Base · Status: Draft
The product's comparison logic is performed over a series of steps rather than across the entire string in one operation. If there is a comparison logic failure on one of these steps, the operation may be vulnerable to a timing attack that can result in the interception of the process for nefarious purposes.
12 vulnerabilities reference this CWE, most recent first.
GHSA-RVH4-4HM5-GX4X
Vulnerability from github – Published: 2025-12-09 03:31 – Updated: 2025-12-11 15:30Plack-Middleware-Session versions before 0.17 may be vulnerable to HMAC comparison timing attacks
{
"affected": [],
"aliases": [
"CVE-2013-10031"
],
"database_specific": {
"cwe_ids": [
"CWE-1254"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-09T01:16:42Z",
"severity": "HIGH"
},
"details": "Plack-Middleware-Session versions before 0.17 may be vulnerable to HMAC comparison timing attacks",
"id": "GHSA-rvh4-4hm5-gx4x",
"modified": "2025-12-11T15:30:31Z",
"published": "2025-12-09T03:31:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-10031"
},
{
"type": "WEB",
"url": "https://github.com/plack/Plack-Middleware-Session/commit/b7f0252269ba1bb812b5dc02303754fe94c808e4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XXVH-5HWJ-42PP
Vulnerability from github – Published: 2026-02-18 22:44 – Updated: 2026-02-20 16:47Description
normalizeForHash in src/agents/sandbox/config-hash.ts recursively sorted arrays that contained only primitive values. This made order-sensitive sandbox configuration arrays hash to the same value even when order changed.
In OpenClaw sandbox flows, this hash is used to decide whether existing sandbox containers should be recreated. As a result, order-only config changes (for example Docker dns and binds array order) could be treated as unchanged and stale containers could be reused.
This is a configuration integrity issue affecting sandbox recreation behavior.
Affected Packages / Versions
- Package:
openclaw(npm) - Affected:
<=2026.2.14 - Patched (planned next release):
>=2026.2.15 - Latest published npm version at triage time (2026-02-16):
2026.2.14
Remediation
Array ordering is now preserved during hash normalization; only object key ordering remains normalized for deterministic hashing.
Fix Commit(s)
41ded303b4f6dae5afa854531ff837c3276ad60b
Release Process Note
patched_versions is pre-set to the planned next release (2026.2.15) so after npm publish, the advisory can be published directly without reopening version metadata edits.
Thanks @kexinoh ( of Tencent zhuque Lab, by https://github.com/Tencent/AI-Infra-Guard) for reporting.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.2.15"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-27007"
],
"database_specific": {
"cwe_ids": [
"CWE-1254"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-18T22:44:10Z",
"nvd_published_at": "2026-02-20T00:16:17Z",
"severity": "MODERATE"
},
"details": "## Description\n\n`normalizeForHash` in `src/agents/sandbox/config-hash.ts` recursively sorted arrays that contained only primitive values. This made order-sensitive sandbox configuration arrays hash to the same value even when order changed.\n\nIn OpenClaw sandbox flows, this hash is used to decide whether existing sandbox containers should be recreated. As a result, order-only config changes (for example Docker `dns` and `binds` array order) could be treated as unchanged and stale containers could be reused.\n\nThis is a configuration integrity issue affecting sandbox recreation behavior.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected: `\u003c=2026.2.14`\n- Patched (planned next release): `\u003e=2026.2.15`\n- Latest published npm version at triage time (2026-02-16): `2026.2.14`\n\n## Remediation\n\nArray ordering is now preserved during hash normalization; only object key ordering remains normalized for deterministic hashing.\n\n## Fix Commit(s)\n\n- `41ded303b4f6dae5afa854531ff837c3276ad60b`\n\n## Release Process Note\n\n`patched_versions` is pre-set to the planned next release (`2026.2.15`) so after npm publish, the advisory can be published directly without reopening version metadata edits.\n\nThanks @kexinoh ( of Tencent zhuque Lab, by https://github.com/Tencent/AI-Infra-Guard) for reporting.",
"id": "GHSA-xxvh-5hwj-42pp",
"modified": "2026-02-20T16:47:26Z",
"published": "2026-02-18T22:44:10Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-xxvh-5hwj-42pp"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27007"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/41ded303b4f6dae5afa854531ff837c3276ad60b"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.15"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw\u0027s sandbox config hash sorted primitive arrays and suppressed needed container recreation"
}
Mitigation
The hardware designer should ensure that comparison logic is implemented so as to compare in one operation instead in smaller chunks.
CAPEC-26: Leveraging Race Conditions
The adversary targets a race condition occurring when multiple processes access and manipulate the same resource concurrently, and the outcome of the execution depends on the particular order in which the access takes place. The adversary can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance, a race condition can occur while accessing a file: the adversary can trick the system by replacing the original file with their version and cause the system to read the malicious file.