OpenCode AI coding agent hit by critical unauthenticated RCE vulnerability

972

•

OpenCode AI coding agent hit by critical unauthenticated RCE vulnerability (github.com)

From the post:

>The OpenCode codebase has critical security vulnerabilities: No CORS validation - /packages/opencode/src/server/server.ts:135 uses .use(cors()) with no origin restrictions No authentication - Any request works without tokens/credentials Arbitrary shell execution and file read - POST /session/:id/shell executes any command GET /file/content?path=/etc/passwd reads file by path

Archive: https://archive.today/3LO0R From the post: >>The OpenCode codebase has critical security vulnerabilities: No CORS validation - /packages/opencode/src/server/server.ts:135 uses .use(cors()) with no origin restrictions No authentication - Any request works without tokens/credentials Arbitrary shell execution and file read - POST /session/:id/shell executes any command GET /file/content?path=/etc/passwd reads file by path

Be the first to comment!

Login or register