[Bug]: RangeError: Maximum call stack size exceeded in isValidBase64 when sending large image attachments via webchat (mobile)

[zachzion762]

Bug type

Crash (gateway returns INVALID_REQUEST, WebSocket disconnects)

Beta release blocker

No

Summary

Sending a photo from a mobile browser (iOS Safari) via the webchat UI causes a hard crash on chat.send with RangeError: Maximum call stack size exceeded. The error originates inside isValidBase64() in attachment-normalize-B8Ooqwet.js when running RegExp.test() against a large base64-encoded image payload (iPhone JPEG, ~3–5MB raw → ~4–7MB base64). The gateway returns INVALID_REQUEST and the WebSocket disconnects with code 1006.

A secondary error also surfaces in the same pipeline when sharp is not installed: Error: Optional dependency sharp is required for image attachment processing. Both errors originate from the same attachment normalization code path.

Steps to reproduce

1. Open the OpenClaw webchat in a mobile browser (tested: iOS Safari)
2. Tap the attachment button and select a photo from your camera roll (standard iPhone JPEG)
3. Send the message

Result: WebSocket disconnects immediately, client shows RangeError: Maximum call stack size exceeded

Expected: Image is staged and delivered to the agent normally

OpenClaw version

2026.5.7 (eeef486)

Operating system

Ubuntu 24.04 LTS — kernel 6.8.0-88-generic x86_64

Install method

npm global (fnm-managed Node 22.22.2)

Logs and evidence

Gateway log (exact):

ERROR chat.send attachment parse/stage failed
RangeError: Maximum call stack size exceeded
    at RegExp.test (<anonymous>)
    at isValidBase64 (attachment-normalize-B8Ooqwet.js:43:34)
    at parseMessageWithAttachments (attachment-normalize-B8Ooqwet.js:108:9)
    at async chat.send (chat-3xUbD00m.js:1716:20)
    at async handleGatewayRequest (server-methods-DStUV8Sh.js:11785:2)
    at async message-handler-Cc2t2lqw.js:1458:5

⇄ res ✗ chat.send 180ms errorCode=INVALID_REQUEST errorMessage=RangeError: Maximum call stack size exceeded
webchat disconnected code=1006 reason=n/a

This error fires twice per send attempt — once before offload staging and once after — indicating isValidBase64 runs at multiple points in the attachment pipeline.

Secondary error (same pipeline, sharp not installed):

Error: Optional dependency sharp is required for image attachment processing

Root cause analysis

isValidBase64() at line 43 of attachment-normalize-B8Ooqwet.js calls RegExp.test() against the full raw base64 string of the image. For large payloads (multi-MB iPhone JPEGs), V8's regex engine hits its internal recursion limit, throwing RangeError: Maximum call stack size exceeded.

This is a known V8 behavior: certain regex patterns applied to strings in the multi-megabyte range can exhaust the engine's recursion stack. The validation just needs to be size-aware.

Suggested fix

Option A — Skip regex validation above a size threshold (least invasive):

function isValidBase64(str) {
  // Regex-based validation is unsafe for large payloads in V8.
  // Skip full validation for strings over 1MB — trust the data URL prefix instead.
  if (str.length > 1_000_000) return true;
  return /^[A-Za-z0-9+/]+=*$/.test(str);
}

Option B — Node built-in round-trip check (most correct, zero regex):

function isValidBase64(str) {
  try {
    return Buffer.from(str, 'base64').toString('base64') === str.replace(/\s/g, '');
  } catch {
    return false;
  }
}

Option C — Validate a prefix sample only (fast and safe):

function isValidBase64(str) {
  const sample = str.slice(0, 1024);
  return /^[A-Za-z0-9+/\s]+=*$/.test(sample);
}

Option B is the most correct. Option A is the least invasive patch.

Secondary issue: sharp listed as optional but required

The attachment pipeline emits Error: Optional dependency sharp is required for image attachment processing. If sharp is truly optional, the pipeline should degrade gracefully rather than hard-error. If it is actually required for image attachments, it should be a proper dependency in package.json so it installs by default.

Impact and severity

• Affected: Any user sending images from a mobile browser via webchat (confirmed on iOS Safari with standard iPhone JPEG)
• Severity: High — complete failure of image attachment from mobile; gateway returns INVALID_REQUEST and drops the WebSocket connection
• Frequency: Always — 100% reproducible with an iPhone photo
• Consequence: Mobile users cannot send any image attachments via webchat

Workaround

Text-only messages work fine. Do not attach images from a mobile browser until patched. Desktop browsers are unaffected.

Additional information

Related prior issue filed by same reporter: #72366 (Bonjour crash-loop on startup)

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Summary
Keep open. Current main and the latest release still validate the full attachment base64 payload with a regex in the gateway parser, and the same reporter has an open paired PR for the narrow validator fix that has not merged yet.

Reproducibility: no. high-confidence live current-main reproduction was established. The source path still uses the reported regex and the logs match chat.send attachment parsing, but prior focused large-string probes did not reproduce the RangeError outside the reported runtime.

Next step
No repair job: the same reporter already has an open paired PR for the narrow fix, so the next action is maintainer review and real-behavior-proof follow-up on that PR.

Review details

Best possible solution:

Review and land the paired gateway validator PR after redacted real WebChat proof and focused regression coverage, while tracking the sharp packaging behavior separately.

Do we have a high-confidence way to reproduce the issue?

No high-confidence live current-main reproduction was established. The source path still uses the reported regex and the logs match chat.send attachment parsing, but prior focused large-string probes did not reproduce the RangeError outside the reported runtime.

Is this the best way to solve the issue?

Yes, the narrow maintainable direction is a non-decoding linear base64 validator in src/gateway/chat-attachments.ts that preserves the existing size guard. The issue should stay open until the paired PR is proven and merged or replaced.

What I checked:

• Current parser still uses whole-payload regex: isValidBase64 still rejects empty/non-multiple-of-four values and then runs /^[A-Za-z0-9+/]+={0,2}$/.test(value) over the entire attachment payload before size estimation. (src/gateway/chat-attachments.ts:146, e975c3b212a5)
• chat.send reaches the parser: The chat.send handler calls parseMessageWithAttachments(...) inside gateway.chat_send.prepare_attachments, matching the reported gateway failure path. (src/gateway/server-methods/chat.ts:2152, e975c3b212a5)
• Control UI sends base64 content: Control UI serialization extracts the data URL payload into an attachment content string, so mobile image data reaches the gateway as a large base64 string. (ui/src/ui/controllers/chat.ts:378, e975c3b212a5)
• Existing test contract preserves pre-decode size guard: The attachment tests assert oversized builder/parser payloads are rejected without any Buffer.from(..., "base64") call, which supports a non-decoding validator rather than a Buffer round trip. (src/gateway/chat-attachments.test.ts:569, e975c3b212a5)
• Latest release still has the regex: The published v2026.5.12 source still contains the same isValidBase64 regex, so this was not fixed in the latest release. (src/gateway/chat-attachments.ts:117, f066dd2f31c2)
• Paired open fix PR exists: The same reporter has an open paired PR at fix: replace regex in isValidBase64 with Buffer round-trip to prevent stack overflow on large attachments #81911 replacing the regex with a character-code scan; it is not merged and has a real-behavior-proof label. (220dfa8c211c)

Likely related people:

• Syysean: Authored the claim-check attachment work and the follow-up commit that removed the large-payload skip and restored full regex validation in the implicated parser. (role: introduced validation behavior; confidence: high; commits: b1b513ff8aa6, 6f389205bfda, d430cb7530fe; files: src/gateway/chat-attachments.ts, src/gateway/chat-attachments.test.ts)
• samzong: Authored the merged non-image attachment offload work that substantially changed parseMessageWithAttachments, chat.send attachment handling, and the gateway attachment tests. (role: recent area contributor; confidence: medium; commits: 25ef9c0c419d; files: src/gateway/chat-attachments.ts, src/gateway/server-methods/chat.ts, src/gateway/chat-attachments.test.ts)
• steipete: History shows original WebSocket chat attachment work and the base64 size-guard helper used by the implicated validation path. (role: adjacent area contributor; confidence: medium; commits: 1dd5c97ae00c, 31791233d604; files: src/gateway/chat-attachments.ts, src/gateway/chat-attachments.test.ts, src/media/base64.ts)
• vincentkoc: Current checkout blame attributes the current validator block to a recent commit that carried this file forward on main; this is a routing signal, not root-cause attribution. (role: recent current-line contributor; confidence: low; commits: 872e068470d7; files: src/gateway/chat-attachments.ts, src/gateway/server-methods/chat.ts, ui/src/ui/controllers/chat.ts)

Remaining risk / open question:

• The exact mobile Safari/WebChat RangeError was not reproduced live on current main; the strongest evidence is the reporter's gateway stack plus the matching current source path.
• The separate sharp optional-dependency symptom is related to image processing but should stay out of the narrow base64-validator repair unless maintainers choose a broader fix.

Codex review notes: model gpt-5.5, reasoning high; reviewed against e975c3b212a5.

[jian23cn]

Same problem here on v2026.5.22. Hope for an urgent fix. Thanks!

[amknight]

Closing as a duplicate of #90098 (P1, "Stack-safe large attachment handling for Control UI and gateway"), the canonical tracking issue.

Decision: duplicate; consolidating into #90098.

Why: your report is the most precise in the cluster — the crash is in isValidBase64() RegExp.test() in the gateway bundle attachment-normalize-*.js, returning INVALID_REQUEST and dropping the socket (1006). That's the exact server-side path #90098 tracks (full-string regex validation over a multi-MB base64 payload). Same root cause as #81606 / #89433 / #89893 / #91954. The secondary sharp is required message is a separate, already-known optional-dependency notice in the same pipeline.

Supported alternative: follow #90098. Until the fix lands, send large photos via another channel or downscale before upload.

What would reopen this: a repro showing the top stack frame is outside the gateway attachment parse/normalize path.