@openclaw/voice-call 2026.2.24

Direct Vulnerabilities

Known vulnerabilities in the @openclaw/voice-call package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
L Replay Attack @openclaw/voice-call is an OpenClaw voice-call plugin Affected versions of this package are vulnerable to Replay Attack in the `callback` process. An attacker can alter the origin of a Plivo callback before it is rejected by replaying a captured valid callback for a live call. How to fix Replay Attack? A fix was pushed into the `master` branch but not yet published.	>=0.0.0
M Replay Attack @openclaw/voice-call is an OpenClaw voice-call plugin Affected versions of this package are vulnerable to Replay Attack via the webhook signature verification process. An attacker can bypass replay detection by submitting requests with equivalent Base64 and Base64URL-encoded signatures, causing the system to treat them as distinct and allowing replayed requests to be accepted. How to fix Replay Attack? A fix was pushed into the `master` branch but not yet published.	>=0.0.0
M Allocation of Resources Without Limits or Throttling @openclaw/voice-call is an OpenClaw voice-call plugin Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the `voice-call` process. An attacker can cause excessive resource consumption by sending oversized WebSocket frames before validation occurs. How to fix Allocation of Resources Without Limits or Throttling? A fix was pushed into the `master` branch but not yet published.	>=0.0.0
H Replay Attack @openclaw/voice-call is an OpenClaw voice-call plugin Affected versions of this package are vulnerable to Replay Attack in the `webhook-security.ts` process. An attacker can bypass replay protection by capturing a valid signed webhook and resending it with reordered query parameters, thereby triggering duplicate processing of voice-call events. How to fix Replay Attack? A fix was pushed into the `master` branch but not yet published.	>=0.0.0
H Replay Attack @openclaw/voice-call is an OpenClaw voice-call plugin Affected versions of this package are vulnerable to Replay Attack due to improper derivation of the replay key in the `webhook-security.ts` process. An attacker can bypass replay protection and submit multiple authenticated requests by modifying the query string of the verification URL without altering the signature. How to fix Replay Attack? A fix was pushed into the `master` branch but not yet published.	>=0.0.0
M Incorrect Authorization @openclaw/voice-call is an OpenClaw voice-call plugin Affected versions of this package are vulnerable to Incorrect Authorization in the group authorization process when `groupPolicy=allowlist` and `dmPolicy=pairing` are configured and pairing-store entries are present. An attacker can gain unauthorized group access by leveraging DM-paired identities to bypass group allowlist checks. This is only exploitable if both `groupPolicy=allowlist` and `dmPolicy=pairing` are enabled and pairing-store entries exist. How to fix Incorrect Authorization? Upgrade `@openclaw/voice-call` to version 2026.3.1 or higher.	<2026.3.1

Vulnerability

Vulnerable Version

Replay Attack

@openclaw/voice-call is an OpenClaw voice-call plugin

Affected versions of this package are vulnerable to Replay Attack in the callback process. An attacker can alter the origin of a Plivo callback before it is rejected by replaying a captured valid callback for a live call.

How to fix Replay Attack?