Common Weakness Enumeration

CWE-1254

Allowed

Incorrect Comparison Logic Granularity

Abstraction: Base · Status: Draft

The product's comparison logic is performed over a series of steps rather than across the entire string in one operation. If there is a comparison logic failure on one of these steps, the operation may be vulnerable to a timing attack that can result in the interception of the process for nefarious purposes.

12 vulnerabilities reference this CWE, most recent first.

GHSA-RVH4-4HM5-GX4X

Vulnerability from github – Published: 2025-12-09 03:31 – Updated: 2025-12-11 15:30
VLAI
Details

Plack-Middleware-Session versions before 0.17 may be vulnerable to HMAC comparison timing attacks

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2013-10031"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1254"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-09T01:16:42Z",
    "severity": "HIGH"
  },
  "details": "Plack-Middleware-Session versions before 0.17 may be vulnerable to HMAC comparison timing attacks",
  "id": "GHSA-rvh4-4hm5-gx4x",
  "modified": "2025-12-11T15:30:31Z",
  "published": "2025-12-09T03:31:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-10031"
    },
    {
      "type": "WEB",
      "url": "https://github.com/plack/Plack-Middleware-Session/commit/b7f0252269ba1bb812b5dc02303754fe94c808e4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XXVH-5HWJ-42PP

Vulnerability from github – Published: 2026-02-18 22:44 – Updated: 2026-02-20 16:47
VLAI
Summary
OpenClaw's sandbox config hash sorted primitive arrays and suppressed needed container recreation
Details

Description

normalizeForHash in src/agents/sandbox/config-hash.ts recursively sorted arrays that contained only primitive values. This made order-sensitive sandbox configuration arrays hash to the same value even when order changed.

In OpenClaw sandbox flows, this hash is used to decide whether existing sandbox containers should be recreated. As a result, order-only config changes (for example Docker dns and binds array order) could be treated as unchanged and stale containers could be reused.

This is a configuration integrity issue affecting sandbox recreation behavior.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Affected: <=2026.2.14
  • Patched (planned next release): >=2026.2.15
  • Latest published npm version at triage time (2026-02-16): 2026.2.14

Remediation

Array ordering is now preserved during hash normalization; only object key ordering remains normalized for deterministic hashing.

Fix Commit(s)

  • 41ded303b4f6dae5afa854531ff837c3276ad60b

Release Process Note

patched_versions is pre-set to the planned next release (2026.2.15) so after npm publish, the advisory can be published directly without reopening version metadata edits.

Thanks @kexinoh ( of Tencent zhuque Lab, by https://github.com/Tencent/AI-Infra-Guard) for reporting.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.2.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-27007"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1254"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-18T22:44:10Z",
    "nvd_published_at": "2026-02-20T00:16:17Z",
    "severity": "MODERATE"
  },
  "details": "## Description\n\n`normalizeForHash` in `src/agents/sandbox/config-hash.ts` recursively sorted arrays that contained only primitive values. This made order-sensitive sandbox configuration arrays hash to the same value even when order changed.\n\nIn OpenClaw sandbox flows, this hash is used to decide whether existing sandbox containers should be recreated. As a result, order-only config changes (for example Docker `dns` and `binds` array order) could be treated as unchanged and stale containers could be reused.\n\nThis is a configuration integrity issue affecting sandbox recreation behavior.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected: `\u003c=2026.2.14`\n- Patched (planned next release): `\u003e=2026.2.15`\n- Latest published npm version at triage time (2026-02-16): `2026.2.14`\n\n## Remediation\n\nArray ordering is now preserved during hash normalization; only object key ordering remains normalized for deterministic hashing.\n\n## Fix Commit(s)\n\n- `41ded303b4f6dae5afa854531ff837c3276ad60b`\n\n## Release Process Note\n\n`patched_versions` is pre-set to the planned next release (`2026.2.15`) so after npm publish, the advisory can be published directly without reopening version metadata edits.\n\nThanks @kexinoh ( of Tencent zhuque Lab, by https://github.com/Tencent/AI-Infra-Guard) for reporting.",
  "id": "GHSA-xxvh-5hwj-42pp",
  "modified": "2026-02-20T16:47:26Z",
  "published": "2026-02-18T22:44:10Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-xxvh-5hwj-42pp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27007"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/41ded303b4f6dae5afa854531ff837c3276ad60b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.15"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw\u0027s sandbox config hash sorted primitive arrays and suppressed needed container recreation"
}

Mitigation
Implementation

The hardware designer should ensure that comparison logic is implemented so as to compare in one operation instead in smaller chunks.

CAPEC-26: Leveraging Race Conditions

The adversary targets a race condition occurring when multiple processes access and manipulate the same resource concurrently, and the outcome of the execution depends on the particular order in which the access takes place. The adversary can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance, a race condition can occur while accessing a file: the adversary can trick the system by replacing the original file with their version and cause the system to read the malicious file.