提交 #852945: Sipeed PicoClaw <= 0.2.9 Authentication Bypass by Capture-replay (CWE-294)信息

标题Sipeed PicoClaw <= 0.2.9 Authentication Bypass by Capture-replay (CWE-294)
描述# Technical Details A webhook replay vulnerability exists in the LINE channel in `pkg/channels/line/line.go` of PicoClaw. The application fails to suppress duplicate LINE webhook events after signature verification. `webhook.ParseRequest` validates the HMAC signature, but the handler dispatches every parsed event without replay cache or idempotency checks keyed by the stable LINE `message.id`. # Vulnerable Code File: `pkg/channels/line/line.go` Method: LINE webhook handler Why: Validates the signature, returns `200 OK`, and dispatches every event asynchronously without replay suppression. File: `pkg/channels/line/line.go` Method: `processEvent` Why: Copies the stable LINE `message.id` into `InboundContext.MessageID` but never checks whether that ID has already been processed. # Reproduction 1. Capture or construct a valid signed LINE webhook body. 2. Send the same signed webhook delivery twice to PicoClaw's LINE webhook endpoint. 3. Observe both requests receive `200`. 4. Observe the internal collector records two inbound events with the same `message.id`. 5. Run a control with distinct message IDs and observe each distinct event produces one delivery. # Impact - Allows duplicate agent execution for a single LINE platform event. - Can trigger repeated replies, repeated external tool actions, duplicated workflow transitions, and unnecessary LLM/API spend. - Breaks the guarantee that one platform message maps to one internal action.
来源⚠️ https://github.com/sipeed/picoclaw/issues/3073
用户
 Eric-i (UID 97584)
提交2026-06-09 13時29分 (1 月前)
管理2026-07-17 15時50分 (1 month later)
状态已接受
VulDB条目379795 [Sipeed PicoClaw 直到 0.2.9 LINE Webhook line.go webhook.ParseRequest 弱身份验证]
积分20

Do you know our Splunk app?

Download it now for free!