| 제목 | Kilo-Org kilocode 7.0.47 Arbitrary File Read (CWE-200) |
|---|
| 설명 | # Technical Details
An Arbitrary File Read vulnerability exists in the `load` method in `packages/opencode/src/config/config.ts` of kilocode.
The application fails to disable token substitution when parsing the `KILO_CONFIG_CONTENT` environment variable. An attacker can inject a payload using the `{file:/path}` template that forces the CLI to parse and read local files during configuration loading, which are then leaked via Zod Schema Validation errors.
# Vulnerable Code
File: packages/opencode/src/config/config.ts
Method: load
Why: The function evaluates inline `{file:path}` templates and substitutes file contents inside key definitions before strict schema validation (Zod) occurs, dumping the extracted file payload in the crash traceback logic.
# Reproduction
1. Configure the `KILO_CONFIG_CONTENT` environment variable introducing an invalid key name encapsulating a file directive: `export KILO_CONFIG_CONTENT='{"invalid_key_{file:/etc/passwd}":"value"}'`
2. Call the CLI targeting a simple sub-command to trigger configuration initialization: `bun run src/index.ts auth ls --print-logs`.
3. The content of `/etc/passwd` will be actively printed in the resulting crash standard error traceback.
# Impact
- Exposure of Highly Sensitive Information: Attackers with local or environment control can read system files, `.env` file API keys, SSH private keys, and cloud configurations.
- Access Escalation within CI/CD pipelines or serverless deployments. |
|---|
| 원천 | ⚠️ https://gist.github.com/YLChen-007/32b444e49ced1a46bde5a68933ccd09f |
|---|
| 사용자 | Eric-d (UID 96861) |
|---|
| 제출 | 2026. 04. 23. PM 02:40 (1 월 ago) |
|---|
| 모더레이션 | 2026. 05. 17. AM 10:55 (24 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 364391 [Kilo-Org kilocode 까지 7.0.47 Environment Variable config.ts load KILO_CONFIG_CONTENT 정보 공개] |
|---|
| 포인트들 | 20 |
|---|