Homepage

@openclaw/feishu@2026.2.21

OpenClaw Feishu/Lark channel plugin (community maintained by @m1heng)

  • latest version

    2026.3.13

  • first published

    1 months ago

  • latest version published

    20 days ago

  • View feishu package health on Snyk  (opens in a new tab)
    • Go back to all versions of this package
    Report a new vulnerability Found a mistake?

    Direct Vulnerabilities

    Known vulnerabilities in the @openclaw/feishu package. This does not include vulnerabilities belonging to this package’s dependencies.

    Fix vulnerabilities automatically

    Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

    Fix for free
    VulnerabilityVulnerable Version
    • M
    Incorrect Authorization

    @openclaw/feishu is an OpenClaw Feishu/Lark channel plugin (community maintained by @m1heng)

    Affected versions of this package are vulnerable to Incorrect Authorization via the upload_image process in the Feishu extension. An attacker can access arbitrary files outside the intended file-system sandbox by submitting crafted upload paths.

    How to fix Incorrect Authorization?

    A fix was pushed into the master branch but not yet published.

    >=2026.2.6
    • H
    Allocation of Resources Without Limits or Throttling

    @openclaw/feishu is an OpenClaw Feishu/Lark channel plugin (community maintained by @m1heng)

    Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the installRequestBodyLimitGuard function in the Feishu webhook handler, which applies permissive body size and timeout limits before authentication. An attacker can exhaust server connection resources and block legitimate webhook deliveries by sending multiple slow HTTP POST requests to the affected endpoint.

    How to fix Allocation of Resources Without Limits or Throttling?

    A fix was pushed into the master branch but not yet published.

    *
    • M
    Incorrect Authorization

    @openclaw/feishu is an OpenClaw Feishu/Lark channel plugin (community maintained by @m1heng)

    Affected versions of this package are vulnerable to Incorrect Authorization via the callback handling process. An attacker can gain unauthorized access to callback functionality by sending specially crafted legacy raw card payloads that bypass recipient pairing checks.

    How to fix Incorrect Authorization?

    A fix was pushed into the master branch but not yet published.

    >=0.0.0
    • H
    Allocation of Resources Without Limits or Throttling

    @openclaw/feishu is an OpenClaw Feishu/Lark channel plugin (community maintained by @m1heng)

    Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the Feishu webhook handling process. An attacker can cause excessive resource consumption by sending unauthenticated requests that are fully parsed before signature validation.

    How to fix Allocation of Resources Without Limits or Throttling?

    A fix was pushed into the master branch but not yet published.

    >=0.0.0
    • M
    Incorrect Authorization

    @openclaw/feishu is an OpenClaw Feishu/Lark channel plugin (community maintained by @m1heng)

    Affected versions of this package are vulnerable to Incorrect Authorization via the event authorization. An attacker can bypass group authorization and mention gating by crafting a synthetic reaction event with an omitted chat_type field, causing the system to misclassify a group conversation as a direct message.

    How to fix Incorrect Authorization?

    Upgrade @openclaw/feishu to version 2026.3.12 or higher.

    <2026.3.12
    • L
    Incorrect Authorization

    @openclaw/feishu is an OpenClaw Feishu/Lark channel plugin (community maintained by @m1heng)

    Affected versions of this package are vulnerable to Incorrect Authorization through improper access control in the pairing store process. An attacker can gain unauthorized access to another account's direct message pairing by leveraging approval from a different account in multi-account deployments.

    How to fix Incorrect Authorization?

    Upgrade @openclaw/feishu to version 2026.3.1 or higher.

    <2026.3.1
    • M
    Incorrect Authorization

    @openclaw/feishu is an OpenClaw Feishu/Lark channel plugin (community maintained by @m1heng)

    Affected versions of this package are vulnerable to Incorrect Authorization via the channels.feishu.allowFrom process. An attacker can gain unauthorized access by setting a display name that collides with an allowlisted ID, thereby bypassing intended authorization checks.

    How to fix Incorrect Authorization?

    Upgrade @openclaw/feishu to version 2026.2.22 or higher.

    <2026.2.22
    Go back to all versions of this package