OpenCode's symlink bug turns cloned 'starter templates' into secret-stealing machines—your SSH keys say thanks for not auditing links

A security researcher has discovered a vulnerability in OpenCode's File API, specifically a symlink escape issue that allows unauthorized access to sensitive files. The vulnerability, found in OpenCode version 1.1.25, enables attackers to read files outside the project directory by creating symlinks to sensitive files, such as SSH keys or cloud credentials. The researcher reported the issue to the maintainers, who responded that securing server mode is the user's responsibility. The vulnerability has significant implications, as it can lead to credential theft and data exfiltration. To mitigate the issue, users are advised to audit symlinks in unfamiliar repositories and remove suspicious ones. A simple fix, involving the use of the realpath function to resolve the canonical path, has been proposed. The vulnerability has been classified as high-risk, with a CVSS score indicating a significant confidentiality impact. The discovery highlights the importance of secure coding practices and responsible disclosure in the tech industry.