| tiêu đề | Kilo-Org kilocode 7.0.47 Path Traversal (CWE-22) |
|---|
| Mô tả | # Technical Details
An Unrestricted Path Traversal vulnerability exists in the `detailMeta` method in `packages/opencode/src/kilocode/review/worktree-diff.ts` of kilocode.
The application fails to restrict user-controlled strings when reconstructing file boundaries handled within the `/experimental/worktree/diff/file` API endpoint. Attackers can inject directory traversal syntax (`../`) via the `file` query parameter.
# Vulnerable Code
File: packages/opencode/src/kilocode/review/worktree-diff.ts
Method: detailMeta
Why: The function uses `path.join(dir, file)` which interpolates traversal sequences, then allows `Bun.file()` to process it without normalizing or validating that the target is still within the root workspace directory.
# Reproduction
1. Start the Kilocode instance.
2. Send an authenticated or accessible request to the `http://localhost:4096/experimental/worktree/diff/file` endpoint.
3. Supply a crafted `file` parameter with a traversal structure, e.g., `?file=../../../../../../../../etc/passwd` and a valid base ref.
# Impact
- Arbitrary Local File Read: Attackers can gain unrestricted read access to the filesystem, exposing passwords (`/etc/shadow`), private SSH keys, and system configuration metrics.
- Complete system compromise and expanded lateral damage. |
|---|
| Nguồn | ⚠️ https://gist.github.com/YLChen-007/1770f4530b0c933dc61f15b02aa0629d |
|---|
| Người dùng | Eric-d (UID 96861) |
|---|
| Đệ trình | 23/04/2026 14:40 (cách đây 1 tháng) |
|---|
| Kiểm duyệt | 17/05/2026 10:55 (24 days later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 364390 [Kilo-Org kilocode đến 7.0.47 File Diff API Endpoint worktree-diff.ts Bun.file Tệp tin duyệt thư mục] |
|---|
| điểm | 20 |
|---|