# Vulnerability Summary ## Vulnerability Overview The OpenClaw platform has a vulnerability where the **Control UI Bootstrap Payload can be tampered with**. An attacker can modify the frontend bootstrap configuration to inject malicious `assistantAgentId` and `serverVersion` fields, potentially enabling identity spoofing, unauthorized access, or client behavior hijacking. This vulnerability stems from the frontend not strictly validating bootstrap data, and test cases explicitly removed existence checks for `assistantAgentId` and `serverVersion`, indicating that developers were aware these fields could be manipulated but did not implement protections. --- ## Impact Scope - **Affected Modules**: `src/gateway/control-ui-*.ts`, `ui/src/ui/controllers/control-ui-*.ts`, `ui/vite.config.ts` - **Affected Components**: - Control UI initialization logic (`loadControlUiBootstrapConfig`) - Identity resolution (`normalizeAssistantIdentity`) - Frontend configuration definition (`defineConfig`) - **Potential Risks**: - Malicious users can forge `assistantAgentId` (e.g., set to `"main"`) to bypass permission controls - Can tamper with `serverVersion` causing abnormal client behavior or compatibility issues - If the backend relies on identity information passed from the frontend, it may lead to unauthorized operations --- ## Remediation Plan 1. **Backend Validation**: In the gateway layer (`src/gateway/control-ui-*.ts`), perform whitelist validation or signature verification on `assistantAgentId` and `serverVersion`. 2. **Frontend Hardening**: In `ui/src/ui/controllers/control-ui-*.ts`, restore non-null/format checks for critical fields and prohibit directly trusting values passed from the frontend. 3. **Test Regression**: Update test cases (e.g., `control-ui-bootstrap.test.ts`) to ensure `assistantAgentId` and `serverVersion` must be valid values; otherwise, initialization should be rejected. 4. **Configuration Security**: In `ui/vite.config.ts`, remove default empty string assignments and change them to mandatory required fields or retrieve from a secure source. --- ## POC / Exploit Code (from diff changes) ```ts // src/gateway/control-ui-Http.test.ts describe("handleControlUiHttpRequest", () => { expect(parsed.assistantAgentId).toBe("main"); expect(parsed).not.toHaveProperty("assistantAgentId"); // removed → injectable expect(parsed).not.toHaveProperty("serverVersion"); // removed → tamperable }); // ui/src/ui/controllers/control-ui-ui-bootstrap.test.ts expect(state.assistantAgentId).toBe("main"); expect(state.serverVersion).toBeNull(); // removed → can be set to any value // ui/src/ui/controllers/control-ui-bootstrap.ts const normalized = normalizeAssistantIdentity({ agentId: parsed.assistantAgentId ?? null, // source not validated name: parsed.assistantName, avatar: parsed.assistantAvatar ?? null, }); state.assistantAgentId = normalized.agentId ?? null; // direct assignment state.serverVersion = parsed.serverVersion ?? null; // direct assignment // ui/vite.config.ts export default defineConfig() => { basePath: "/", assistantName: "", assistantAvatar: "", assistantAgentId: "", // default empty value → can be overridden }; ``` > ⚠️ Note: The above code represents the parts “removed” in the diff. The actual exploitation method is for an attacker to modify the bootstrap payload so that these fields are no longer validated, thereby injecting malicious values.