Hacker News new | ask | show | jobs
by geoffmanning 153 days ago
The one thing here confusing to me is the past tense used throughout. This CVE seems presented as both past and present, yet the present evidence isn't... Presented.
1 comments
jpmcb 153 days ago
True: but technically the CVE was mitigated by OpenCode by after 1.1.10

* Not running the server by default * Patched the wide open CORS policy which left the server open to execution by any page you visited.

The server is still there but you have to explicitly enable it via `opencode serve`

The original disclosure has a table of fixes that have landed: https://cy.md/opencode-rce/

link