> When server is enabled, any web page served from localhost/127.0.0.1 can execute code
> When server is enabled, any local process can execute code without authentication
> No indication when server is running (users may be unaware of exposure)
I'm sorry this is horrible. I really want there to be a good actual open cross-provider agentic coding tool, but this seems to me to be abusive of people's trust of TUI apps - part of the reason we trust them is they typically DON'T do stuff like this.
Please run at least a dev-container or a VM for the tools. You can use RDP/ VNC/ Spice or even just the terminal with tmux to work within the confines of the container/ machine. You can mirror some stuff into the container/ machine with SSHFS, Samba/ NFS, 9p. You can use all the traditional tools, filesystems and such for reliable snapshots. Push the results separately or don't give direct unrestricted git access to the agent.
It's not that hard. If you are super lazy, you can also pay for a VPS $5/month or something like that and run the workload there.
Oh btw if someone wants to run servers via qemu, I highly recommend quickemu. It provides default ssh access,sshfs, vnc,spice and all such ports to just your local device of course and also allows one to install debian or any distro (out of many many distros) using quickget.
Its really intuitive for what its worth, definitely worth a try https://github.com/quickemu-project/quickemu
I personally really like zed with ssh open remote. I can always open up terminals in it and use claude code or opencode or any and they provide AI as well (I dont use much AI this way, I make simple scripts for myself so I just copy paste for free from the websites) but I can recommend zed for what its worth as well.
What's the difference here between this and, for example, the Neovim headless server or the VSCode remote SSH daemon? All three listen on 127.0.0.1 and would grant execution access to another process who could speak to them.
Is there a difference here? Is the choice of HTTP simply a bad one because of the potential browser exploitation, which can't exist for the others?
we've done a poor job handling these security reports, usage has grown rapidly and we're overwhelmed with issues
we're meeting with some people this week to advise us on how to handle this better, get a bug bounty program funded and have some audits done
Now I must admit though that I am little concerned by the fact that the vulnerability reporters tried multiple times to contact you but till no avail. This is not a good look at all and I hope you can fix it asap as you mention
I respect dax from the days of SST framework but this is genuinely such a bad look especially when they Reported on 2025-11-17, and multiple "no responses" after repeated attempts to contact the maintainers...
Sure they reported the bug now but who knows what could have / might have even been happening as OpenCode was the most famous open source coding agent and surely more cybersec must have watched it, I can see a genuine possibility where something must have been used in the wild as well from my understanding from black hat adversaries
I think this means that we should probably run models in gvisor/proper sandboxing efforts.
Even right now, we don't know how many more such bugs might persist and can lead to even RCE.
Dax, This short attention would make every adversary look for even more bugs / RCE vulnerabilities right now as we speak so you only have a very finite time in my opinion. I hope things can be done as fast as possible now to make OpenCode more safer.
the issue that was reported was fixed as soon as we heard about it - going through the process of learning about the CVE process, etc now and setting everything up correctly. we get 100s of issues reported to us daily across various mediums and we're figuring out how to manage this
i can't really say much beyond this is my own inexperience showing
I might try OpenCode now once its get patched or after seeing the community for a while. Wishing the best of luck for a more secure future of opencode!
Just a thought, have you tried any way to triage these reported issues via LLMs, or constantly running an LLM to check the codebase for gaping security holes? Would that be in any way useful?
Anyway, thanks for your work on opencode and good luck.
It really seems like the main focus of the project should be in how to organize the work of the project, rather than on the specs/requirements/development of the codebase itself.
What are the general recommendations the team has been getting for how to manage the development velocity? And have you looked into various anarchist organizational principles?
Plenty of examples of people who implode when things get public, here it is being managed decently, even if not from the get-go.
https://github.com/anomalyco/opencode/commit/7d2d87fa2c44e32...
Reported 2025-11-17, and multiple "no responses" after repeated attempts to contact the maintainers... not a good look.
https://github.com/anomalyco/opencode/issues/6355#issuecomme...
Atleast they didnt implode their communications like I see from some other companies.
To be really honest, when you bet on AI agents, I feel like soemtimes you bet on the future of the product as well which is built by the people so you are basically betting on the people.
I'd much rather bet/rely on people who are sensibile in communications in troubled times like this than who implode sometimes (I mean no offense to Coderabbit but this is what comes to my head right now)
So moments like these become the litmus test of the products basically imo by seeing how people communicate etc.
Having said that, there is definitely a need for open platform to utilize multiple vendors and models. I just don’t think the big three (Anthropic, OAI and Google) will cede that control over with so much money on the line.
Amp can do small utility scripts and changes for free (especially if you enable the ads) and Crush+GLM is pretty good at following plans done by Claude or Codex
Maybe I'm using GitHub code search wrongly, but it appears this was just never part of even a pull request - the practice of just having someone pushing to `dev` (default branch) which then will be tagged should perhaps also be revisited.
(Several more commits under `wip: bash` and `feat: bash commands`)
https://github.com/anomalyco/opencode/commit/7505fa61b9caa17...
https://github.com/anomalyco/opencode/commit/93b71477e665600...
> Network Boundary Shield
> The Network Boundary Shield (NBS) is a protection against attacks from an external network (the Internet) to an internal network - especially against a reconnaissance attack where a web browser is abused as a proxy.
> The main goal of NBS is to prevent attacks where a public website requests a resource from the internal network (e.g. the logo of the manufacturer of the local router); NBS will detect that a web page hosted on the public Internet is trying to connect to a local IP address. NBS only blocks HTTP requests from a web page hosted on a public IP address to a private network resource; the user can allow specific web pages to access local resources (e.g. when using Intranet services).
Meanwhile, running opencode in a podman container seems to stop this particular, err, feature.
So did they fix it silently, without responding to the researcher, or they fixed the silent part where now user is made a aware that a website is trying to execute code on their machine.
> Hey - have some bad news.
> We accidentally committed your email to our repo as part of a script that was activating OpenCode Black.
> No other information was included, just the email on its own.