Previous versions of OpenCode started a server which allowed any website visited in a web browser to execute arbitrary commands on the local machine. Make sure you are using v1.1.10 or newer; see link for more details.
My original message was more positive but after more looking into context, I am a bit more pessimistic.
Now I must admit though that I am little concerned by the fact that the vulnerability reporters tried multiple times to contact you but till no avail. This is not a good look at all and I hope you can fix it asap as you mention
I respect dax from the days of SST framework but this is genuinely such a bad look especially when they Reported on 2025-11-17, and multiple "no responses" after repeated attempts to contact the maintainers...
Sure they reported the bug now but who knows what could have / might have even been happening as OpenCode was the most famous open source coding agent and surely more cybersec must have watched it, I can see a genuine possibility where something must have been used in the wild as well from my understanding from black hat adversaries
I think this means that we should probably run models in gvisor/proper sandboxing efforts.
Even right now, we don't know how many more such bugs might persist and can lead to even RCE.
Dax, This short attention would make every adversary look for even more bugs / RCE vulnerabilities right now as we speak so you only have a very finite time in my opinion. I hope things can be done as fast as possible now to make OpenCode more safer.
Don't waste your time and money on funding bug bounties or "getting audits done". Your staff will add another big security flaw just the next day, back to square one.
I've been curious how this project will grow over time, it seems to have taken the lead as the first open source terminal agent framework/runner, and definitely seems to be growing faster than any organization would/could/should be able to manage.
It really seems like the main focus of the project should be in how to organize the work of the project, rather than on the specs/requirements/development of the codebase itself.
What are the general recommendations the team has been getting for how to manage the development velocity? And have you looked into various anarchist organizational principles?
Good luck, and thank you for eating the accountability sandwich and being up front about what you're doing. That's not always easy to do, and it's appreciated!
For one thing spend a lot more time analyzing your code for these bugs. Use expert humans + LLMs to come up with an analysis plan then use humans + LLMs to execute the plan.
Many people seem to be running OpenCode and similar tools on their laptop with basically no privilege separation, sandboxing, fine-grained permissions settings in the tool itself. This tendency is reflected also by how many plugins are designed, where the default assumption is the tool is running unrestricted on the computer next to some kind of IDE as many authentication callbacks go to some port on localhost and the fallback is to parse out the right parameter from the callback URL. Also for some reasons these tools tend to be relative resource hogs even when waiting for a reply from a remote provider. I mean, I am glad they exist, but it seems very rough around the edges compared to how much attention these tools get nowadays.
Please run at least a dev-container or a VM for the tools. You can use RDP/ VNC/ Spice or even just the terminal with tmux to work within the confines of the container/ machine. You can mirror some stuff into the container/ machine with SSHFS, Samba/ NFS, 9p. You can use all the traditional tools, filesystems and such for reliable snapshots. Push the results separately or don't give direct unrestricted git access to the agent.
It's not that hard. If you are super lazy, you can also pay for a VPS $5/month or something like that and run the workload there.
I've started a project [1] recently that tries to implement this sandbox idea. Very new and extremely alpha, but mostly works as a proof of concept (except haven't figured out how to get Shelley working yet), and I'm sure there's a ton of bugs and things to work through, but could be fun to test and experiment with in a vps and report back any issues.
I really like the product created by fly.io's https://sprites.dev/ for AI's sandboxes effectively. I feel like its really apt here (not sponsored lmao wish I was)
Oh btw if someone wants to run servers via qemu, I highly recommend quickemu. It provides default ssh access,sshfs, vnc,spice and all such ports to just your local device of course and also allows one to install debian or any distro (out of many many distros) using quickget.
I personally really like zed with ssh open remote. I can always open up terminals in it and use claude code or opencode or any and they provide AI as well (I dont use much AI this way, I make simple scripts for myself so I just copy paste for free from the websites) but I can recommend zed for what its worth as well.
WTF, they not just made unauthenticated RCE http endpoint, they also helpfully added CORS bypass for it... all in CLI tool? That silently starts http server??
A coworker raised an interesting point to me. The CORS fix removes exploitation by arbitrary websites (but obviously allows full access from the opencode domain), but let's take that piece out for a second...
What's the difference here between this and, for example, the Neovim headless server or the VSCode remote SSH daemon? All three listen on 127.0.0.1 and would grant execution access to another process who could speak to them.
Is there a difference here? Is the choice of HTTP simply a bad one because of the potential browser exploitation, which can't exist for the others?
If you have a localhost server that uses a client input to execute code without authentication, that’s a local code execution vulnerability at the very least. It becomes a RCE when you find a way to reach local server over the wire, such as via browser http request.
I don’t use VSCode you have mentioned so i don’t know how it is implemented but one can guess that it is implemented with some authentication in mind.
If you aren't blocking your browser from allowing sites to call to local services, you should:
> Network Boundary Shield
> The Network Boundary Shield (NBS) is a protection against attacks from an external network (the Internet) to an internal network - especially against a reconnaissance attack where a web browser is abused as a proxy.
> The main goal of NBS is to prevent attacks where a public website requests a resource from the internal network (e.g. the logo of the manufacturer of the local router); NBS will detect that a web page hosted on the public Internet is trying to connect to a local IP address. NBS only blocks HTTP requests from a web page hosted on a public IP address to a private network resource; the user can allow specific web pages to access local resources (e.g. when using Intranet services).
This is pretty egregious. And outside the fact the server is now disabled by default, once it's running it is still egregious:
> When server is enabled, any web page served from localhost/127.0.0.1 can execute code
> When server is enabled, any local process can execute code without authentication
> No indication when server is running (users may be unaware of exposure)
I'm sorry this is horrible. I really want there to be a good actual open cross-provider agentic coding tool, but this seems to me to be abusive of people's trust of TUI apps - part of the reason we trust them is they typically DON'T do stuff like this.
They seem to not have a lot of real world experience and/or throw caution to the wind and YOLO through security practices. I'd be weary using any of their products.
Seems that OpenCode is YC-backed as well [0] [1]. I would've thought YC would encourage better cyber security practice than OpenCode have demonstrated here.
Huh, I thought opencode was a volunteer project but it looks like it's a business with major backing from major players. Was opencode always set up like this? I could have sworn there was some project with a better governance model, guess not.
They keep adding features without maintaining the core. I stopped using it when they started selling plans. The main reason for Opencode was to use multiple models but it turns out context sharing across models is PIA and impractical right now. I went back to using Claude Code and Codex side by side.
Having said that, there is definitely a need for open platform to utilize multiple vendors and models. I just don’t think the big three (Anthropic, OAI and Google) will cede that control over with so much money on the line.
As someone who uses the two big C's, I can recommend ampcode[0] and Crush[1]+z.ai GLM as an addition.
Amp can do small utility scripts and changes for free (especially if you enable the ads) and Crush+GLM is pretty good at following plans done by Claude or Codex
fwiw they should probably slow down a bit, even though they seem to be winning the race. they started selling their own subscription plan last week, and promptly committed all subscriber’s emails to the public repo
> Hey - have some bad news.
> We accidentally committed your email to our repo as part of a script that was activating OpenCode Black.
> No other information was included, just the email on its own.
This is such an egregious lack of respect for users, you can't trust this organisation again, and the lack of responsiveness just signals that they don't consider it a problem. Users must signal to companies that this attitude is unacceptable by dumping them.
Well I feel like they will take security more in context from here on out.
Atleast they didnt implode their communications like I see from some other companies.
To be really honest, when you bet on AI agents, I feel like soemtimes you bet on the future of the product as well which is built by the people so you are basically betting on the people.
I'd much rather bet/rely on people who are sensibile in communications in troubled times like this than who implode sometimes (I mean no offense to Coderabbit but this is what comes to my head right now)
So moments like these become the litmus test of the products basically imo by seeing how people communicate etc.
Seems `session/:id/shell` was also `session/:id/bash` and originally `session/:id/command` in some commits.
Maybe I'm using GitHub code search wrongly, but it appears this was just never part of even a pull request - the practice of just having someone pushing to `dev` (default branch) which then will be tagged should perhaps also be revisited.
(Several more commits under `wip: bash` and `feat: bash commands`)
I run mine on the public internet and it’s fine, because I put it behind auth, because it’s a tool to remotely execute code with no auth and also has a fully featured webshell.
To be clear, this is a vulnerability. Just the same as exposing unauthenticated telnet is a vulnerability. User education is always good, but at some point in the process of continuing to build user-friendly footguns we need to start blaming the users. “It is what it is”, Duh.
This “vulnerability” has been known by devs in my circle for a while, it’s literally the very first intuitive question most devs ask themselves when using opencode, and then put authentication on top.
Particularly in the AI space it’s going to be more and more common to see users punching above their weight with deployments. Let em learn. Let em grow. We’ll see this pain multiply in the future if these lessons aren’t learned early.
Can you share what made this behavior obvious to you? E.g. when I first saw Open Code, it looked like yet another implementation of Claude Code, Codex-CLI, Gemini-CLI, Project Goose, etc. - all these are TUI apps for agentic coding. However, from these, only Open Code automatically started an unauthenticated web server when I simply started the TUI, so this came as a surprise to me.
So did they fix it silently, without responding to the researcher, or they fixed the silent part where now user is made a aware that a website is trying to execute code on their machine.
It's under "Vendor Advisory", so I'm guessing it's that they fixed it, but never informed any OpenCode users that there was a massive security vulnerability.
This doesn't actually seem that bad to me? Browsers don't let random pages on the internet hit localhost without prompting you anymore so it's not like a random website could RCE you unless you're running an old browser—and at that point that's the browser's fault for letting web pages out of the sandbox. You shouldn't have to protect localhost from getting hit with random public websites.
The rest is just code running as your user can talk to code running as your user. I don't really consider this to be a security boundary. If I can run arbitrary code by hitting a URL I accept that any program running as me can as well. Going above and beyond is praiseworthy (good for you turning on SELinux as an example) but I don't expect it by default.
> Browsers don't let random pages on the internet hit localhost without prompting you anymore
No, that's a Chrome-specific feature that Google added. It is not part of any standard, and does not exist in other browsers (e.g. Safari and Firefox).
> The rest is just code running as your user can talk to code running as your user
No, that assumes that there is only a single user on the machine, and there are either no forms of isolation or that all forms of isolation also use private network namespaces, which has not been how daemons are isolated in UNIX or by systemd. For example, if you were to ever run OpenCode as root, any local process can trivially gain root as well.
I liked aider initially, but I keep running into problems, as the project seems largely unmaintained. I wanted to install OpenCode yesterday, but this somewhat turns me off. Are there any good model-agnostic alternatives? I am somewhat shocked there is not a lot of good open source CLI LLM code assistants going around.
Just looking at some other stuff in this page and it seems it may have a few SSRFs.
Also it uses astro 5.7.13 that may have an SSRF of it's own. No idea if would be exploitable, but way out of date packages with potential security risks are a good place to start looking.
I was investigating that for entirely unrelated reasons just yesterday and the answer so far seems to be "none". You can patch the server to serve the locally built frontend and it all works just fine.
On the one hand, with 1800 open issues and 800 open PRs (most of it probably AI generated slop) makes it a bit understandable for the maintainers to be slow to reply. On the other hand, the vulnerability is so baffling that I'll make sure to stay as far away as possible from this project.
Running a non deterministic model in your terminal, allowing it to run whatever commands it wants always seemed like such a fucking stupid thing to do to me. How can people just wing it, let alone when production code is involved is just baffling to me. 0 concern about security.
people run AI tools outside a sandbox? tf? the first thing I did with claude code is put it in a sandbox.
come on people, docker and podman exist, please use them - it isolates you not only from problems like this but supply chain attacks as well.
it also has superior compatibility, any person working on your project will have all the tools available to compile it since to build & run it you use a simple Containerfile.
thdxr|1 month ago
we've done a poor job handling these security reports, usage has grown rapidly and we're overwhelmed with issues
we're meeting with some people this week to advise us on how to handle this better, get a bug bounty program funded and have some audits done
Imustaskforhelp|1 month ago
Now I must admit though that I am little concerned by the fact that the vulnerability reporters tried multiple times to contact you but till no avail. This is not a good look at all and I hope you can fix it asap as you mention
I respect dax from the days of SST framework but this is genuinely such a bad look especially when they Reported on 2025-11-17, and multiple "no responses" after repeated attempts to contact the maintainers...
Sure they reported the bug now but who knows what could have / might have even been happening as OpenCode was the most famous open source coding agent and surely more cybersec must have watched it, I can see a genuine possibility where something must have been used in the wild as well from my understanding from black hat adversaries
I think this means that we should probably run models in gvisor/proper sandboxing efforts.
Even right now, we don't know how many more such bugs might persist and can lead to even RCE.
Dax, This short attention would make every adversary look for even more bugs / RCE vulnerabilities right now as we speak so you only have a very finite time in my opinion. I hope things can be done as fast as possible now to make OpenCode more safer.
Rygian|1 month ago
Spend that money in reorganizing your management and training your staff so that everyone in your company is onboard with https://owasp.org/Top10/2025/A06_2025-Insecure_Design/ .
bopbopbop7|1 month ago
digdugdirk|1 month ago
It really seems like the main focus of the project should be in how to organize the work of the project, rather than on the specs/requirements/development of the codebase itself.
What are the general recommendations the team has been getting for how to manage the development velocity? And have you looked into various anarchist organizational principles?
observationist|1 month ago
unknown|1 month ago
[deleted]
heliumtera|1 month ago
unknown|1 month ago
[deleted]
cryptonector|1 month ago
dionian|1 month ago
unknown|1 month ago
[deleted]
rtaylorgarlock|1 month ago
falloutx|1 month ago
kaliszad|1 month ago
Please run at least a dev-container or a VM for the tools. You can use RDP/ VNC/ Spice or even just the terminal with tmux to work within the confines of the container/ machine. You can mirror some stuff into the container/ machine with SSHFS, Samba/ NFS, 9p. You can use all the traditional tools, filesystems and such for reliable snapshots. Push the results separately or don't give direct unrestricted git access to the agent.
It's not that hard. If you are super lazy, you can also pay for a VPS $5/month or something like that and run the workload there.
tomrod|1 month ago
> Please run at least a dev-container or a VM for the tools.
I would like to know how to do this. Could you share your favorite how-to?
indigodaddy|1 month ago
[1] https://github.com/jgbrwn/shelley-lxc
unknown|1 month ago
[deleted]
_zoltan_|1 month ago
Imustaskforhelp|1 month ago
Oh btw if someone wants to run servers via qemu, I highly recommend quickemu. It provides default ssh access,sshfs, vnc,spice and all such ports to just your local device of course and also allows one to install debian or any distro (out of many many distros) using quickget.
Its really intuitive for what its worth, definitely worth a try https://github.com/quickemu-project/quickemu
I personally really like zed with ssh open remote. I can always open up terminals in it and use claude code or opencode or any and they provide AI as well (I dont use much AI this way, I make simple scripts for myself so I just copy paste for free from the websites) but I can recommend zed for what its worth as well.
throw_me_uwu|1 month ago
never_inline|1 month ago
Hamuko|1 month ago
Bridged7756|1 month ago
lifetimerubyist|1 month ago
ollien|1 month ago
What's the difference here between this and, for example, the Neovim headless server or the VSCode remote SSH daemon? All three listen on 127.0.0.1 and would grant execution access to another process who could speak to them.
Is there a difference here? Is the choice of HTTP simply a bad one because of the potential browser exploitation, which can't exist for the others?
mirashii|1 month ago
VS Code’s ssh daemon is authenticated.
winstonwinston|1 month ago
I don’t use VSCode you have mentioned so i don’t know how it is implemented but one can guess that it is implemented with some authentication in mind.
AlexErrant|1 month ago
Reported 2025-11-17, and multiple "no responses" after repeated attempts to contact the maintainers... not a good look.
pama|1 month ago
https://github.com/anomalyco/opencode/issues/6355#issuecomme...
bayarearefugee|1 month ago
everybody is vibecoding now, and dealing with massive security issues is bad vibes.
unknown|1 month ago
[deleted]
heavyset_go|1 month ago
> Network Boundary Shield
> The Network Boundary Shield (NBS) is a protection against attacks from an external network (the Internet) to an internal network - especially against a reconnaissance attack where a web browser is abused as a proxy.
> The main goal of NBS is to prevent attacks where a public website requests a resource from the internal network (e.g. the logo of the manufacturer of the local router); NBS will detect that a web page hosted on the public Internet is trying to connect to a local IP address. NBS only blocks HTTP requests from a web page hosted on a public IP address to a private network resource; the user can allow specific web pages to access local resources (e.g. when using Intranet services).
https://jshelter.org/nbs/
zmmmmm|1 month ago
> When server is enabled, any web page served from localhost/127.0.0.1 can execute code
> When server is enabled, any local process can execute code without authentication
> No indication when server is running (users may be unaware of exposure)
I'm sorry this is horrible. I really want there to be a good actual open cross-provider agentic coding tool, but this seems to me to be abusive of people's trust of TUI apps - part of the reason we trust them is they typically DON'T do stuff like this.
BrouteMinou|1 month ago
glerk|1 month ago
blindseer|1 month ago
afaict, for that project they never went through PCI compliance. See original thread for more information: https://news.ycombinator.com/item?id=40228751
They seem to not have a lot of real world experience and/or throw caution to the wind and YOLO through security practices. I'd be weary using any of their products.
yawaramin|1 month ago
tempaccsoz5|1 month ago
[0]: https://www.ycombinator.com/companies/sst
[1]: https://anoma.ly/
deaux|1 month ago
I have no idea where you got your internal image of YC-backed companies from, but it needs massive adjusting.
[0] https://news.ycombinator.com/item?id=46555807
notachatbot123|1 month ago
hsaliak|1 month ago
greenchair|1 month ago
shimman|1 month ago
seaal|1 month ago
falloutx|1 month ago
lvl155|1 month ago
Having said that, there is definitely a need for open platform to utilize multiple vendors and models. I just don’t think the big three (Anthropic, OAI and Google) will cede that control over with so much money on the line.
theshrike79|1 month ago
Amp can do small utility scripts and changes for free (especially if you enable the ads) and Crush+GLM is pretty good at following plans done by Claude or Codex
[0] https://ampcode.com/
[1] https://github.com/charmbracelet/crush
AlexCoventry|1 month ago
It does take a lot of discipline to review everything instead of pile on another feature, when it's so cheap to do.
capybarafriend|1 month ago
> Hey - have some bad news.
> We accidentally committed your email to our repo as part of a script that was activating OpenCode Black.
> No other information was included, just the email on its own.
bopbopbop7|1 month ago
blibble|1 month ago
JoshPurtell|1 month ago
angry_octet|1 month ago
bandrami|1 month ago
hsbauauvhabzb|1 month ago
phyzome|1 month ago
blackbear_|1 month ago
Meanwhile, running opencode in a podman container seems to stop this particular, err, feature.
pamcake|1 month ago
bandrami|1 month ago
BenGosub|1 month ago
Imustaskforhelp|1 month ago
Atleast they didnt implode their communications like I see from some other companies.
To be really honest, when you bet on AI agents, I feel like soemtimes you bet on the future of the product as well which is built by the people so you are basically betting on the people.
I'd much rather bet/rely on people who are sensibile in communications in troubled times like this than who implode sometimes (I mean no offense to Coderabbit but this is what comes to my head right now)
So moments like these become the litmus test of the products basically imo by seeing how people communicate etc.
miduil|1 month ago
Maybe I'm using GitHub code search wrongly, but it appears this was just never part of even a pull request - the practice of just having someone pushing to `dev` (default branch) which then will be tagged should perhaps also be revisited.
(Several more commits under `wip: bash` and `feat: bash commands`)
https://github.com/anomalyco/opencode/commit/7505fa61b9caa17...
https://github.com/anomalyco/opencode/commit/93b71477e665600...
jerrythegerbil|1 month ago
To be clear, this is a vulnerability. Just the same as exposing unauthenticated telnet is a vulnerability. User education is always good, but at some point in the process of continuing to build user-friendly footguns we need to start blaming the users. “It is what it is”, Duh.
This “vulnerability” has been known by devs in my circle for a while, it’s literally the very first intuitive question most devs ask themselves when using opencode, and then put authentication on top.
Particularly in the AI space it’s going to be more and more common to see users punching above their weight with deployments. Let em learn. Let em grow. We’ll see this pain multiply in the future if these lessons aren’t learned early.
CyberShadow|1 month ago
rcarmo|1 month ago
GoblinSlayer|1 month ago
It saw goproxy.cn and used goproxy.cn, looks linear to me.
rdtsc|1 month ago
So did they fix it silently, without responding to the researcher, or they fixed the silent part where now user is made a aware that a website is trying to execute code on their machine.
Hamuko|1 month ago
never_inline|1 month ago
But this leaves a very bad taste.
Guess I will stick to aider and copy-pasting.
Spivak|1 month ago
The rest is just code running as your user can talk to code running as your user. I don't really consider this to be a security boundary. If I can run arbitrary code by hitting a URL I accept that any program running as me can as well. Going above and beyond is praiseworthy (good for you turning on SELinux as an example) but I don't expect it by default.
CyberShadow|1 month ago
No, that's a Chrome-specific feature that Google added. It is not part of any standard, and does not exist in other browsers (e.g. Safari and Firefox).
> The rest is just code running as your user can talk to code running as your user
No, that assumes that there is only a single user on the machine, and there are either no forms of isolation or that all forms of isolation also use private network namespaces, which has not been how daemons are isolated in UNIX or by systemd. For example, if you were to ever run OpenCode as root, any local process can trivially gain root as well.
unknown|1 month ago
[deleted]
dxuh|1 month ago
kmarc|1 month ago
Apparently a group of devs forked it: https://github.com/dwash96/cecli
Haven't tried yet
pixl97|1 month ago
Also it uses astro 5.7.13 that may have an SSRF of it's own. No idea if would be exploitable, but way out of date packages with potential security risks are a good place to start looking.
gpm|1 month ago
grncdr|1 month ago
kachapopopow|1 month ago
forgotTheLast|1 month ago
AlexAltea|1 month ago
Bridged7756|1 month ago
lifetimerubyist|1 month ago
m3kw9|1 month ago
thehamkercat|1 month ago
which introduced so many bugs that people unsubscribed
troyvit|1 month ago
fragmede|1 month ago
kachapopopow|1 month ago
come on people, docker and podman exist, please use them - it isolates you not only from problems like this but supply chain attacks as well.
it also has superior compatibility, any person working on your project will have all the tools available to compile it since to build & run it you use a simple Containerfile.
(rather outdated now: https://github.com/DeprecatedLuke/claude-loop)
unknown|1 month ago
[deleted]