Unauthenticated Remote Code Execution in OpenCode

OpenCode has quickly become a staple for developers seeking AI‑driven code suggestions, but its recent security flaw underscores how convenience can mask critical risk. The vulnerable component was an internal HTTP server that launched on launch, listening on a high‑numbered port without authentication. By exposing endpoints for shell commands, PTY sessions, and file reads, the server granted any local process—or a malicious web page exploiting lax CORS settings—full control over the host environment. Versions before 1.1.10 left users defenseless, while the default‑on behavior persisted even after partial patches.

This incident highlights a recurring theme in the developer‑tool supply chain: insecure defaults and overly permissive network interfaces can turn benign utilities into attack surfaces. Similar vulnerabilities have plagued IDE extensions, package managers, and container runtimes, often leading to widespread compromise when the affected software is widely adopted. The hard‑coded CORS allowance for *.opencode.ai amplified the threat, enabling cross‑origin attacks from any compromised sub‑domain or XSS vector. Moreover, the optional --mdns flag bound the server to all network interfaces, exposing machines to lateral movement within local networks.

Mitigation now centers on disciplined updates and configuration hygiene. Users should verify they run v1.1.10 or later, confirm the server is disabled, and avoid enabling it unless absolutely necessary. Disabling the --mdns flag, restricting CORS to trusted origins, and implementing authentication for any exposed endpoint are essential hardening steps. For maintainers, the episode serves as a reminder to enforce secure‑by‑default designs, provide clear runtime indicators, and maintain responsive security disclosure channels. As AI‑assisted development tools proliferate, rigorous security reviews will be vital to protect both developers and the ecosystems they serve.