RCE and file read vulnerability

1 min read Original article ↗

Description

Vulnerability Summary

The OpenCode codebase has critical security vulnerabilities:

  1. No CORS validation - /packages/opencode/src/server/server.ts:135 uses .use(cors()) with no origin restrictions
  2. No authentication - Any request works without tokens/credentials
  3. Arbitrary shell execution and file read - POST /session/:id/shell executes any command GET /file/content?path=/etc/passwd reads file by path

Attack Vector

Any website can:

  1. Scan localhost ports to find the OpenCode server
  2. List existing sessions via GET /session
  3. Create a new session via POST /session
  4. Execute arbitrary shell commands via POST /session/:id/shell
  5. Read any file via GET /file/content?path=/etc/passwd

OpenCode version

1.0.207

Steps to reproduce

  1. start opencode server (or just open opencode in any dir)
  2. go to https://mishkun.github.io/opencode-rce-poc/ and follow instructions
  3. enjoy being pwned

Screenshot and/or share link

No response

Operating System

macos

Terminal

iTerm2