@openclaw/voice-call 2026.2.19

Direct Vulnerabilities

Known vulnerabilities in the @openclaw/voice-call package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
L Replay Attack @openclaw/voice-call is an OpenClaw voice-call plugin Affected versions of this package are vulnerable to Replay Attack in the `callback` process. An attacker can alter the origin of a Plivo callback before it is rejected by replaying a captured valid callback for a live call. How to fix Replay Attack? A fix was pushed into the `master` branch but not yet published.	>=0.0.0
M Replay Attack @openclaw/voice-call is an OpenClaw voice-call plugin Affected versions of this package are vulnerable to Replay Attack via the webhook signature verification process. An attacker can bypass replay detection by submitting requests with equivalent Base64 and Base64URL-encoded signatures, causing the system to treat them as distinct and allowing replayed requests to be accepted. How to fix Replay Attack? A fix was pushed into the `master` branch but not yet published.	>=0.0.0
M Allocation of Resources Without Limits or Throttling @openclaw/voice-call is an OpenClaw voice-call plugin Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the `voice-call` process. An attacker can cause excessive resource consumption by sending oversized WebSocket frames before validation occurs. How to fix Allocation of Resources Without Limits or Throttling? A fix was pushed into the `master` branch but not yet published.	>=0.0.0
H Replay Attack @openclaw/voice-call is an OpenClaw voice-call plugin Affected versions of this package are vulnerable to Replay Attack in the `webhook-security.ts` process. An attacker can bypass replay protection by capturing a valid signed webhook and resending it with reordered query parameters, thereby triggering duplicate processing of voice-call events. How to fix Replay Attack? A fix was pushed into the `master` branch but not yet published.	>=0.0.0
H Replay Attack @openclaw/voice-call is an OpenClaw voice-call plugin Affected versions of this package are vulnerable to Replay Attack due to improper derivation of the replay key in the `webhook-security.ts` process. An attacker can bypass replay protection and submit multiple authenticated requests by modifying the query string of the verification URL without altering the signature. How to fix Replay Attack? A fix was pushed into the `master` branch but not yet published.	>=0.0.0
M Incorrect Authorization @openclaw/voice-call is an OpenClaw voice-call plugin Affected versions of this package are vulnerable to Incorrect Authorization via the webhook event deduplication. An attacker can trigger duplicate or stale call-state transitions by replaying Twilio webhook events with randomized event IDs. How to fix Incorrect Authorization? Upgrade `@openclaw/voice-call` to version 2026.2.23 or higher.	<2026.2.23
M Incorrect Authorization @openclaw/voice-call is an OpenClaw voice-call plugin Affected versions of this package are vulnerable to Incorrect Authorization in the group authorization process when `groupPolicy=allowlist` and `dmPolicy=pairing` are configured and pairing-store entries are present. An attacker can gain unauthorized group access by leveraging DM-paired identities to bypass group allowlist checks. This is only exploitable if both `groupPolicy=allowlist` and `dmPolicy=pairing` are enabled and pairing-store entries exist. How to fix Incorrect Authorization? Upgrade `@openclaw/voice-call` to version 2026.3.1 or higher.	<2026.3.1
H Allocation of Resources Without Limits or Throttling @openclaw/voice-call is an OpenClaw voice-call plugin Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the media-stream WebSocket upgrades. An attacker can exhaust server resources by establishing multiple unauthenticated pre-start socket connections and keeping them open without validation. How to fix Allocation of Resources Without Limits or Throttling? Upgrade `@openclaw/voice-call` to version 2026.2.22 or higher.	<2026.2.22

Vulnerability

Vulnerable Version

Replay Attack

@openclaw/voice-call is an OpenClaw voice-call plugin

Affected versions of this package are vulnerable to Replay Attack in the callback process. An attacker can alter the origin of a Plivo callback before it is rejected by replaying a captured valid callback for a live call.

How to fix Replay Attack?