FRESH

Hacker News

Home

Unauthenticated remote code execution in OpenCode

427 points by CyberShadow

by thdxr

13 subcomments

hey maintainer here
we've done a poor job handling these security reports, usage has grown rapidly and we're overwhelmed with issues
we're meeting with some people this week to advise us on how to handle this better, get a bug bounty program funded and have some audits done

by kaliszad

5 subcomments

Many people seem to be running OpenCode and similar tools on their laptop with basically no privilege separation, sandboxing, fine-grained permissions settings in the tool itself. This tendency is reflected also by how many plugins are designed, where the default assumption is the tool is running unrestricted on the computer next to some kind of IDE as many authentication callbacks go to some port on localhost and the fallback is to parse out the right parameter from the callback URL. Also for some reasons these tools tend to be relative resource hogs even when waiting for a reply from a remote provider. I mean, I am glad they exist, but it seems very rough around the edges compared to how much attention these tools get nowadays.
Please run at least a dev-container or a VM for the tools. You can use RDP/ VNC/ Spice or even just the terminal with tmux to work within the confines of the container/ machine. You can mirror some stuff into the container/ machine with SSHFS, Samba/ NFS, 9p. You can use all the traditional tools, filesystems and such for reliable snapshots. Push the results separately or don't give direct unrestricted git access to the agent.
It's not that hard. If you are super lazy, you can also pay for a VPS $5/month or something like that and run the workload there.

by throw_me_uwu

4 subcomments

WTF, they not just made unauthenticated RCE http endpoint, they also helpfully added CORS bypass for it... all in CLI tool? That silently starts http server??

by ollien

2 subcomments

A coworker raised an interesting point to me. The CORS fix removes exploitation by arbitrary websites (but obviously allows full access from the opencode domain), but let's take that piece out for a second...
What's the difference here between this and, for example, the Neovim headless server or the VSCode remote SSH daemon? All three listen on 127.0.0.1 and would grant execution access to another process who could speak to them.
Is there a difference here? Is the choice of HTTP simply a bad one because of the potential browser exploitation, which can't exist for the others?

by AlexErrant

3 subcomments

The disclosure timeline is concerning.
Reported 2025-11-17, and multiple "no responses" after repeated attempts to contact the maintainers... not a good look.

by blindseer

1 subcomments

Lots of the same people that were behind: https://www.terminal.shop/
afaict, for that project they never went through PCI compliance. See original thread for more information: https://news.ycombinator.com/item?id=40228751
They seem to not have a lot of real world experience and/or throw caution to the wind and YOLO through security practices. I'd be weary using any of their products.

by zmmmmm

2 subcomments

This is pretty egregious. And outside the fact the server is now disabled by default, once it's running it is still egregious:
> When server is enabled, any web page served from localhost/127.0.0.1 can execute code
> When server is enabled, any local process can execute code without authentication
> No indication when server is running (users may be unaware of exposure)
I'm sorry this is horrible. I really want there to be a good actual open cross-provider agentic coding tool, but this seems to me to be abusive of people's trust of TUI apps - part of the reason we trust them is they typically DON'T do stuff like this.

by tempaccsoz5

4 subcomments

Seems that OpenCode is YC-backed as well [0] [1]. I would've thought YC would encourage better cyber security practice than OpenCode have demonstrated here.
[0]: https://www.ycombinator.com/companies/sst
[1]: https://anoma.ly/

by heavyset_go

0 subcomment

If you aren't blocking your browser from allowing sites to call to local services, you should:
> Network Boundary Shield
> The Network Boundary Shield (NBS) is a protection against attacks from an external network (the Internet) to an internal network - especially against a reconnaissance attack where a web browser is abused as a proxy.
> The main goal of NBS is to prevent attacks where a public website requests a resource from the internal network (e.g. the logo of the manufacturer of the local router); NBS will detect that a web page hosted on the public Internet is trying to connect to a local IP address. NBS only blocks HTTP requests from a web page hosted on a public IP address to a private network resource; the user can allow specific web pages to access local resources (e.g. when using Intranet services).
https://jshelter.org/nbs/

by shimman

2 subcomments

Huh, I thought opencode was a volunteer project but it looks like it's a business with major backing from major players. Was opencode always set up like this? I could have sworn there was some project with a better governance model, guess not.

by lvl155

2 subcomments

They keep adding features without maintaining the core. I stopped using it when they started selling plans. The main reason for Opencode was to use multiple models but it turns out context sharing across models is PIA and impractical right now. I went back to using Claude Code and Codex side by side.
Having said that, there is definitely a need for open platform to utilize multiple vendors and models. I just don’t think the big three (Anthropic, OAI and Google) will cede that control over with so much money on the line.

by capybarafriend

3 subcomments

fwiw they should probably slow down a bit, even though they seem to be winning the race. they started selling their own subscription plan last week, and promptly committed all subscriber’s emails to the public repo
> Hey - have some bad news.
> We accidentally committed your email to our repo as part of a script that was activating OpenCode Black.
> No other information was included, just the email on its own.

by angry_octet

0 subcomment

This is such an egregious lack of respect for users, you can't trust this organisation again, and the lack of responsiveness just signals that they don't consider it a problem. Users must signal to companies that this attitude is unacceptable by dumping them.

by bandrami

2 subcomments

The next few years are going to be a golden age for ops and security overtime

by blackbear_

2 subcomments

Isn't it insane that any web page can run a port scan in the first place? Who wants that?
Meanwhile, running opencode in a podman container seems to stop this particular, err, feature.

by BenGosub

1 subcomments

It feels that today security is secondary to growth. As long as your growing, a few incidents here and there aren't going to make a difference.

by rcarmo

1 subcomments

I had an interesting experience with OpenCode yesterday, and I was also sent that RCE: https://taoofmac.com/space/blog/2026/01/12/1830

by jerrythegerbil

1 subcomments

I run mine on the public internet and it’s fine, because I put it behind auth, because it’s a tool to remotely execute code with no auth and also has a fully featured webshell.
To be clear, this is a vulnerability. Just the same as exposing unauthenticated telnet is a vulnerability. User education is always good, but at some point in the process of continuing to build user-friendly footguns we need to start blaming the users. “It is what it is”, Duh.
This “vulnerability” has been known by devs in my circle for a while, it’s literally the very first intuitive question most devs ask themselves when using opencode, and then put authentication on top.
Particularly in the AI space it’s going to be more and more common to see users punching above their weight with deployments. Let em learn. Let em grow. We’ll see this pain multiply in the future if these lessons aren’t learned early.

by miduil

0 subcomment

Seems `session/:id/shell` was also `session/:id/bash` and originally `session/:id/command` in some commits.
Maybe I'm using GitHub code search wrongly, but it appears this was just never part of even a pull request - the practice of just having someone pushing to `dev` (default branch) which then will be tagged should perhaps also be revisited.
(Several more commits under `wip: bash` and `feat: bash commands`)
https://github.com/anomalyco/opencode/commit/7505fa61b9caa17...
https://github.com/anomalyco/opencode/commit/93b71477e665600...

by never_inline

0 subcomment

I was about to try it out, having heard good things.
But this leaves a very bad taste.
Guess I will stick to aider and copy-pasting.

by rdtsc

1 subcomments

> Silent fix
So did they fix it silently, without responding to the researcher, or they fixed the silent part where now user is made a aware that a website is trying to execute code on their machine.

by Spivak

1 subcomments

This doesn't actually seem that bad to me? Browsers don't let random pages on the internet hit localhost without prompting you anymore so it's not like a random website could RCE you unless you're running an old browser—and at that point that's the browser's fault for letting web pages out of the sandbox. You shouldn't have to protect localhost from getting hit with random public websites.
The rest is just code running as your user can talk to code running as your user. I don't really consider this to be a security boundary. If I can run arbitrary code by hitting a URL I accept that any program running as me can as well. Going above and beyond is praiseworthy (good for you turning on SELinux as an example) but I don't expect it by default.

0 subcomment

by dxuh

1 subcomments

I liked aider initially, but I keep running into problems, as the project seems largely unmaintained. I wanted to install OpenCode yesterday, but this somewhat turns me off. Are there any good model-agnostic alternatives? I am somewhat shocked there is not a lot of good open source CLI LLM code assistants going around.

by pixl97

0 subcomment

Just looking at some other stuff in this page and it seems it may have a few SSRFs.
Also it uses astro 5.7.13 that may have an SSRF of it's own. No idea if would be exploitable, but way out of date packages with potential security risks are a good place to start looking.

by gpm

2 subcomments

I'd be curious to know what features need opencode.ai to be an allowed origin for the local server.

by forgotTheLast

0 subcomment

On the one hand, with 1800 open issues and 800 open PRs (most of it probably AI generated slop) makes it a bit understandable for the maintainers to be slow to reply. On the other hand, the vulnerability is so baffling that I'll make sure to stay as far away as possible from this project.

by Bridged7756

0 subcomment

Running a non deterministic model in your terminal, allowing it to run whatever commands it wants always seemed like such a fucking stupid thing to do to me. How can people just wing it, let alone when production code is involved is just baffling to me. 0 concern about security.

by AlexAltea

0 subcomment

Related: https://news.ycombinator.com/item?id=46539718

by lifetimerubyist

0 subcomment

Why does an agent need a web server to take remote commands in the first place???

by m3kw9

2 subcomments

Vibe coding a coding CLI?

by fragmede

0 subcomment

How's that plastic utensils at Anthropic's buffet analogy going now?

by kachapopopow

0 subcomment

people run AI tools outside a sandbox? tf? the first thing I did with claude code is put it in a sandbox.
come on people, docker and podman exist, please use them - it isolates you not only from problems like this but supply chain attacks as well.
it also has superior compatibility, any person working on your project will have all the tools available to compile it since to build & run it you use a simple Containerfile.
(rather outdated now: https://github.com/DeprecatedLuke/claude-loop)

0 subcomment