opencode icon indicating copy to clipboard operation
opencode copied to clipboard
Published 2 days ago verified publisher icon anomalyco

RCE and file read vulnerability

Open Mishkun opened this issue 3 weeks ago • 11 comments

Description

Vulnerability Summary

The OpenCode codebase has critical security vulnerabilities:

  1. No CORS validation - /packages/opencode/src/server/server.ts:135 uses .use(cors()) with no origin restrictions
  2. No authentication - Any request works without tokens/credentials
  3. Arbitrary shell execution and file read - POST /session/:id/shell executes any command GET /file/content?path=/etc/passwd reads file by path

Attack Vector

Any website can:

  1. Scan localhost ports to find the OpenCode server
  2. List existing sessions via GET /session
  3. Create a new session via POST /session
  4. Execute arbitrary shell commands via POST /session/:id/shell
  5. Read any file via GET /file/content?path=/etc/passwd

OpenCode version

1.0.207

Steps to reproduce

  1. start opencode server (or just open opencode in any dir)
  2. go to https://mishkun.github.io/opencode-rce-poc/ and follow instructions
  3. enjoy being pwned

Screenshot and/or share link

No response

Operating System

macos

Terminal

iTerm2

Mishkun avatar Dec 29 '25 13:12 Mishkun

This issue might be a duplicate of existing issues. Please check:

  • #5256: [FEATURE]: Adding Authentication to opencode server api - directly addresses the authentication vulnerability you've identified
  • #5076: OpenCode should have better/safer defaults to be more security minded - discusses related security concerns about default configurations

Feel free to ignore if none of these address your specific case.

github-actions[bot] avatar Dec 29 '25 13:12 github-actions[bot]

Chrome and chromium require "local network access" permission latest firefox (146.0.1) doesn't require anything, exploit works without permission safari and brave browsers block port scanning

Mishkun avatar Dec 30 '25 12:12 Mishkun

updating cors policy and releasing that: https://github.com/sst/opencode/commit/7d2d87fa2c44e32314015980bb4e59a9386e858c

rekram1-node avatar Dec 30 '25 18:12 rekram1-node

Previously reported here: https://github.com/anomalyco/opencode/security/advisories/GHSA-vxw4-wv6m-9hhh

@rekram1-node Now that this has been independently reported and fixed, could you please publish the advisory

CyberShadow avatar Jan 08 '26 09:01 CyberShadow

@rekram1-node Why does opencode.ai need arbitrary command execution powers to all OpenCode users' machines?

CyberShadow avatar Jan 08 '26 09:01 CyberShadow

Hi @rekram1-node, FYI - since the issue is now public and I haven't been able to reach anyone from the team regrading the above, I plan to publish a full disclosure of this and remaining problems at https://cy.md/opencode-rce/ in 48 hours (2026-01-11).

CyberShadow avatar Jan 09 '26 14:01 CyberShadow

hey sorry this got dropped over the holidays

do you mind sending me disclosure to [email protected]

the reason for the opencode.ai exception was for people using the webapp at app.opencode.ai

we've made a change recently not to start the server by default, it's opted into

thdxr avatar Jan 09 '26 22:01 thdxr

hey sorry this got dropped over the holidays

Understandable, but I should note that I first tried reaching out in November. The address mentioned here might not be monitored.

we've made a change recently not to start the server by default, it's opted into

This is great, thank you!

do you mind sending me disclosure to [email protected]

Sent!

CyberShadow avatar Jan 09 '26 23:01 CyberShadow

I plan to publish a full disclosure of this and remaining problems at https://cy.md/opencode-rce/ in 48 hours (2026-01-11).

Posted.

CyberShadow avatar Jan 11 '26 22:01 CyberShadow