OpenCode File Read Vulnerability PoC
Security Research Demonstration
This page demonstrates a vulnerability in OpenCode's client-server architecture:
- No CORS validation - Any website can make requests
- No authentication - No tokens or credentials required
- Arbitrary file read - via GET /file/content?path=...
How This Works
- OpenCode server binds to
127.0.0.1 on an ephemeral port (49152-65535)
- The server uses
.use(cors()) with no origin restrictions
- This allows any website to scan localhost ports and find the server
- Once found, we can read arbitrary files from the filesystem
Step 2: Read Files
// File contents will appear here