--- type: "attack-path" title: "OPENCODE-EXPLOIT-CHAIN-2025" description: "OpenCode vulnerability chain discovered by Cloudflare's product security team in December 2025." resource: "tlctc:attack-path:opencode-exploit-chain-2025" tags: - "attack-path" - "cluster-9" - "cluster-3" - "cluster-1" - "confidence-high" timestamp: "2026-04-09T00:00:00Z" tlctc_version: "2.1" --- # OPENCODE-EXPLOIT-CHAIN-2025 ## Attack path ``` ||[browser][@Attacker→@Victim]|| #9 →[Δt=instant] #3 →[Δt=instant] #1 + [DRE: C, I, A] ``` # Schema | Step | Cluster | Boundary | Δt→next | DRE | |---|---|---|---|---| | s1-malicious-website-lure | [#9](/clusters/cluster-9.md) | \|\|[browser][@Attacker→@Victim]\|\| | instant | | | s2-xss-via-url-override | [#3](/clusters/cluster-3.md) | | instant | | | s3-pty-rce | [#1](/clusters/cluster-1.md) | | | C, I, A | ## Step notes - **s1-malicious-website-lure:** Victim visits a malicious website that targets users running OpenCode's web UI. The website crafts a URL with a malicious ?url= parameter to override the server URL, loading an attacker-controlled chat session. This is #9 Social Engineering: the bridge cluster crosses the human boundary — the victim must navigate to or click a link. The technical exploitation happens after the boundary crossing. - **s2-xss-via-url-override:** The OpenCode web UI on localhost:4096 accepts the malicious ?url= parameter, loading attacker-controlled LLM response content. The markdown renderer lacks sanitization, allowing HTML/JavaScript injection resulting in XSS on the localhost:4096 origin. R-ROLE: the OpenCode web UI is in a client role relative to the attacker's controlled content — the attacker provides the response data that the client renders. This is #3 Exploiting Client: a technical vulnerability in client-side input handling (insufficient sanitization of rendered markdown). - **s3-pty-rce:** The XSS payload, now executing within the localhost:4096 origin, calls the /pty/ API endpoint to spawn arbitrary local processes. The /pty/ endpoint functions exactly as designed — it is a legitimate process-spawning API. The XSS provides the same-origin context needed to invoke it. This is #1 Abuse of Functions: the /pty/ API operates within its designed parameters; the attacker abuses legitimate functionality enabled by the XSS foothold. DRE: C, I, A — full local system compromise via arbitrary command execution. The developer fixed the vulnerability after Cloudflare's disclosure. # Citations OpenCode vulnerability chain discovered by Cloudflare's product security team in December 2025. A malicious website could abuse the server URL override feature of the OpenCode web UI to achieve XSS on localhost:4096, which combined with the /pty/ API endpoints for spawning arbitrary local processes, enabled remote code execution. Cloudflare used OpenCode itself to discover the vulnerability ('dogfooding' AI for security research), demonstrating the 'MOE over sophistication' paradigm and 'security by the system'. Attack path: #9 -> #3 -> #1. Sources: Cloudflare 2026 Threat Report (pp. 8-9), Cloudflare product security disclosure.