| शीर्षक | Kilo-Org kilocode 7.0.47 Arbitrary File Read (CWE-200) |
|---|
| विवरण | # Technical Details
An Arbitrary File Read vulnerability exists in the `load` method in `packages/opencode/src/config/config.ts` of kilocode.
The application fails to disable token substitution when parsing the `KILO_CONFIG_CONTENT` environment variable. An attacker can inject a payload using the `{file:/path}` template that forces the CLI to parse and read local files during configuration loading, which are then leaked via Zod Schema Validation errors.
# Vulnerable Code
File: packages/opencode/src/config/config.ts
Method: load
Why: The function evaluates inline `{file:path}` templates and substitutes file contents inside key definitions before strict schema validation (Zod) occurs, dumping the extracted file payload in the crash traceback logic.
# Reproduction
1. Configure the `KILO_CONFIG_CONTENT` environment variable introducing an invalid key name encapsulating a file directive: `export KILO_CONFIG_CONTENT='{"invalid_key_{file:/etc/passwd}":"value"}'`
2. Call the CLI targeting a simple sub-command to trigger configuration initialization: `bun run src/index.ts auth ls --print-logs`.
3. The content of `/etc/passwd` will be actively printed in the resulting crash standard error traceback.
# Impact
- Exposure of Highly Sensitive Information: Attackers with local or environment control can read system files, `.env` file API keys, SSH private keys, and cloud configurations.
- Access Escalation within CI/CD pipelines or serverless deployments. |
|---|
| स्रोत | ⚠️ https://gist.github.com/YLChen-007/32b444e49ced1a46bde5a68933ccd09f |
|---|
| उपयोगकर्ता | Eric-d (UID 96861) |
|---|
| सबमिशन | 23/04/2026 02:40 PM (1 महीना पहले) |
|---|
| संयम | 17/05/2026 10:55 AM (24 days later) |
|---|
| स्थिति | स्वीकृत |
|---|
| VulDB प्रविष्टि | 364391 [Kilo-Org kilocode तक 7.0.47 Environment Variable config.ts load KILO_CONFIG_CONTENT सूचना का प्रकटीकरण] |
|---|
| अंक | 20 |
|---|