जमा करें #852945: Sipeed PicoClaw <= 0.2.9 Authentication Bypass by Capture-replay (CWE-294)जानकारी

शीर्षकSipeed PicoClaw <= 0.2.9 Authentication Bypass by Capture-replay (CWE-294)
विवरण# Technical Details A webhook replay vulnerability exists in the LINE channel in `pkg/channels/line/line.go` of PicoClaw. The application fails to suppress duplicate LINE webhook events after signature verification. `webhook.ParseRequest` validates the HMAC signature, but the handler dispatches every parsed event without replay cache or idempotency checks keyed by the stable LINE `message.id`. # Vulnerable Code File: `pkg/channels/line/line.go` Method: LINE webhook handler Why: Validates the signature, returns `200 OK`, and dispatches every event asynchronously without replay suppression. File: `pkg/channels/line/line.go` Method: `processEvent` Why: Copies the stable LINE `message.id` into `InboundContext.MessageID` but never checks whether that ID has already been processed. # Reproduction 1. Capture or construct a valid signed LINE webhook body. 2. Send the same signed webhook delivery twice to PicoClaw's LINE webhook endpoint. 3. Observe both requests receive `200`. 4. Observe the internal collector records two inbound events with the same `message.id`. 5. Run a control with distinct message IDs and observe each distinct event produces one delivery. # Impact - Allows duplicate agent execution for a single LINE platform event. - Can trigger repeated replies, repeated external tool actions, duplicated workflow transitions, and unnecessary LLM/API spend. - Breaks the guarantee that one platform message maps to one internal action.
स्रोत⚠️ https://github.com/sipeed/picoclaw/issues/3073
उपयोगकर्ता
 Eric-i (UID 97584)
सबमिशन09/06/2026 01:29 PM (1 महीना पहले)
संयम17/07/2026 03:50 PM (1 month later)
स्थितिस्वीकृत
VulDB प्रविष्टि379795 [Sipeed PicoClaw तक 0.2.9 LINE Webhook line.go webhook.ParseRequest कमजोर प्रमाणीकरण]
अंक20

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!