Y
Hacker News
new
|
ask
|
show
|
jobs
by
throw_me_uwu
156 days ago
WTF, they not just made unauthenticated RCE http endpoint, they also helpfully added CORS bypass for it... all in CLI tool? That silently starts http server??
4 comments
never_inline
156 days ago
Someone tell the AI labs to stop training on tutorial code.
link
Hamuko
156 days ago
I'm slightly surprised that the CORS policy wasn't just "*" considering how wide open the server itself was.
link
throw_me_uwu
156 days ago
That's the point, it was!
https://github.com/anomalyco/opencode/commit/7d2d87fa2c44e32...
link
gpm
156 days ago
It seems like it was prior to 1.0.216?
link
Bridged7756
156 days ago
Just run it in a sandbox, bro.
link
lifetimerubyist
156 days ago
It’s a vibe, bro.
link