제출 #852945: Sipeed PicoClaw <= 0.2.9 Authentication Bypass by Capture-replay (CWE-294)정보

제목Sipeed PicoClaw <= 0.2.9 Authentication Bypass by Capture-replay (CWE-294)
설명# Technical Details A webhook replay vulnerability exists in the LINE channel in `pkg/channels/line/line.go` of PicoClaw. The application fails to suppress duplicate LINE webhook events after signature verification. `webhook.ParseRequest` validates the HMAC signature, but the handler dispatches every parsed event without replay cache or idempotency checks keyed by the stable LINE `message.id`. # Vulnerable Code File: `pkg/channels/line/line.go` Method: LINE webhook handler Why: Validates the signature, returns `200 OK`, and dispatches every event asynchronously without replay suppression. File: `pkg/channels/line/line.go` Method: `processEvent` Why: Copies the stable LINE `message.id` into `InboundContext.MessageID` but never checks whether that ID has already been processed. # Reproduction 1. Capture or construct a valid signed LINE webhook body. 2. Send the same signed webhook delivery twice to PicoClaw's LINE webhook endpoint. 3. Observe both requests receive `200`. 4. Observe the internal collector records two inbound events with the same `message.id`. 5. Run a control with distinct message IDs and observe each distinct event produces one delivery. # Impact - Allows duplicate agent execution for a single LINE platform event. - Can trigger repeated replies, repeated external tool actions, duplicated workflow transitions, and unnecessary LLM/API spend. - Breaks the guarantee that one platform message maps to one internal action.
원천⚠️ https://github.com/sipeed/picoclaw/issues/3073
사용자
 Eric-i (UID 97584)
제출2026. 06. 09. PM 01:29 (1 월 ago)
모더레이션2026. 07. 17. PM 03:50 (1 month later)
상태수락
VulDB 항목379795 [Sipeed PicoClaw 까지 0.2.9 LINE Webhook line.go webhook.ParseRequest 약한 인증]
포인트들20

Want to know what is going to be exploited?

We predict KEV entries!