GHSA-3m3q-x3gj-f79x: 
JavaScript vulnerability analysis and mitigation

Affected Packages / Versions

This issue affects the optional voice-call plugin only. It is not enabled by default; it only applies to installations where the plugin is installed and enabled.

• Package: @openclaw/voice-call
• Vulnerable versions: < 2026.2.3
• Patched versions: >= 2026.2.3Legacy package name (if you are still using it):
• Package: @clawdbot/voice-call
• Vulnerable versions: <= 2026.1.24
• Patched versions: none published under this package name; migrate to @openclaw/voice-call

Summary

In certain reverse-proxy / forwarding setups, webhook verification can be bypassed if untrusted forwarded headers are accepted.

Impact

An external party may be able to send voice-call webhook requests that are accepted as valid, which can result in spoofed webhook events being processed.

Root Cause

Some deployments implicitly trusted forwarded headers (for example Forwarded / X-Forwarded-*) when determining request properties used during webhook verification. If those headers are not overwritten by a trusted proxy, a client can supply them directly and influence verification.

Resolution

Ignore forwarded headers by default unless explicitly trusted and allowlisted in configuration. Keep any loopback-only development bypass restricted to local development only. Upgrade to a patched version. If you cannot upgrade immediately, strip Forwarded and X-Forwarded-* headers at the edge so clients cannot supply them directly.

Fix Commit(s)

• a749db9820eb6d6224032a5a34223d286d2dcc2f

Credits

Thanks @0x5t for reporting.