We Turned a Dependency Audit Into New ClawMoat Detections

Source: Dev.to

Prototype Pollution (__proto__ injection)

CVE family: axios mergeConfig, lodash merge

An attacker can send JSON such as {"__proto__": {"admin": true}} to a vulnerable library. If an AI agent processes or forwards that content, it could corrupt the prototype chain of the host application.

ClawMoat now detects:

{"__proto__": {"isAdmin": true}}
{"constructor": {"prototype": {"role": "admin"}}}

ReDoS via Nested Extglobs

CVE family: minimatch GHSA-952p-6rrq-rcjv, GHSA-f8q6-p94x-37v3

The minimatch library catastrophically backtracks on patterns like *(*(*(a))) or on multiple adjacent ** segments. When an agent validates file paths using such patterns, it can be subjected to a denial‑of‑service attack.

ClawMoat now flags:

• Nested *() extglob patterns
• Multiple adjacent GLOBSTAR segments (e.g., **abc**def**)
• Classic nested quantifiers such as (.+)+

JWT Algorithm Confusion

CVE family: PyJWT GHSA-m695-7mj6-7w6v, jose alg:none

The alg: none attack tells a JWT library to skip signature verification entirely. A kid injection attack can smuggle SQL or path‑traversal payloads into the key ID header.

ClawMoat now detects:

{"alg": "none", "typ": "JWT"}
{"kid": "../../keys/../../etc/passwd"}
{"crit": ["custom-header"]}

Decompression Bombs

CVE family: urllib3 GHSA-g4mx-q9vg-27p4

urllib3 previously had no limit on decompression chain depth, allowing an attacker to nest gzip inside brotli inside zstd and exhaust memory. If an agent decompresses content from an untrusted source, this becomes a viable attack vector.

ClawMoat now detects nested compression instructions and suspiciously large Base64‑encoded payloads.

Drive‑Relative Path Traversal

CVE family: tar GHSA-qffp-2rhf-9h96

On Windows, a path like C:target (without a backslash) resolves to the current directory of the C: drive rather than C:\target. An archive containing such entries can write outside the intended extraction directory, bypassing ../ checks.

ClawMoat’s multimodal scanner now catches C:filename patterns, as well as absolute paths (C:\, /) and UNC paths (\\server\share).

The Flywheel

Real vulnerabilities → real patterns → real protection.
Every published CVE provides a roadmap for attackers; we use the same roadmap to build detections. The more CVEs we ingest, the stronger ClawMoat becomes.

New Scanner

The new scanner scanDependencyAttacks() is available now in ClawMoat, has zero dependencies, and is implemented with pure regex.

const { scanDependencyAttacks } = require('clawmoat');

const result = scanDependencyAttacks(userInput);
if (!result.clean) {
  console.log('Attack pattern detected:', result.findings);
}

ClawMoat on GitHub | clawmoat.com