| Titre | Sipeed PicoClaw <= 0.2.9 Authentication Bypass by Capture-replay (CWE-294) |
|---|
| Description | # Technical Details
A webhook replay vulnerability exists in the LINE channel in `pkg/channels/line/line.go` of PicoClaw.
The application fails to suppress duplicate LINE webhook events after signature verification. `webhook.ParseRequest` validates the HMAC signature, but the handler dispatches every parsed event without replay cache or idempotency checks keyed by the stable LINE `message.id`.
# Vulnerable Code
File: `pkg/channels/line/line.go`
Method: LINE webhook handler
Why: Validates the signature, returns `200 OK`, and dispatches every event asynchronously without replay suppression.
File: `pkg/channels/line/line.go`
Method: `processEvent`
Why: Copies the stable LINE `message.id` into `InboundContext.MessageID` but never checks whether that ID has already been processed.
# Reproduction
1. Capture or construct a valid signed LINE webhook body.
2. Send the same signed webhook delivery twice to PicoClaw's LINE webhook endpoint.
3. Observe both requests receive `200`.
4. Observe the internal collector records two inbound events with the same `message.id`.
5. Run a control with distinct message IDs and observe each distinct event produces one delivery.
# Impact
- Allows duplicate agent execution for a single LINE platform event.
- Can trigger repeated replies, repeated external tool actions, duplicated workflow transitions, and unnecessary LLM/API spend.
- Breaks the guarantee that one platform message maps to one internal action. |
|---|
| La source | ⚠️ https://github.com/sipeed/picoclaw/issues/3073 |
|---|
| Utilisateur | Eric-i (UID 97584) |
|---|
| Soumission | 09/06/2026 13:29 (il y a 1 mois) |
|---|
| Modérer | 17/07/2026 15:50 (1 month later) |
|---|
| Statut | Accepté |
|---|
| Entrée VulDB | 379795 [Sipeed PicoClaw jusqu’à 0.2.9 LINE Webhook line.go webhook.ParseRequest authentification faible] |
|---|
| Points | 20 |
|---|