OpenHands Command Injection Vulnerability in Git Diff Handler
A command injection vulnerability exists in OpenHands' `get_git_diff()` method, allowing authenticated attackers to execute arbitrary commands in the agent sandbox via the `/api/conversations/{conversation_id}/git/diff` endpoint by exploiting the unsanitized `path` parameter.
OpenHands is vulnerable to command injection due to insufficient sanitization of the path parameter in the /api/conversations/{conversation_id}/git/diff API endpoint. This endpoint, handled by the get_git_diff() method within openhands/runtime/utils/git_handler.py, allows authenticated users to pass arbitrary commands to the underlying shell. The vulnerability exists because the file_path parameter is directly interpolated into a shell command string using Python's .format() method without sanitization, allowing for the interpretation of shell metacharacters. This bypasses the normal agent command execution channels and provides a direct path for attackers to execute code within the agent sandbox. The affected versions are pip/openhands < 1.5.0. This vulnerability was reported on 2026-03-25.
Attack Chain
- An authenticated user sends a crafted HTTP GET request to the
/api/conversations/{conversation_id}/git/diffendpoint. - The request includes a malicious
pathparameter containing shell metacharacters (e.g.,;,|,&). - The
git_difffunction inopenhands/server/routes/files.pyreceives thepathparameter. - The
pathparameter is passed unsanitized to theruntime.get_git_difffunction. - The
get_git_difffunction inopenhands/runtime/base.pythen callsself.git_handler.get_git_diff(file_path). - Within
openhands/runtime/utils/git_handler.py, thefile_pathis directly inserted into theGIT_DIFF_CMDstring using.format()without sanitization. - The resulting command string is executed via
subprocess.runwithshell=Trueinopenhands/runtime/utils/git_diff.py, enabling shell metacharacter interpretation. - The attacker-supplied commands are executed on the system, achieving arbitrary code execution.
Impact
Successful exploitation allows attackers to execute arbitrary commands on the runtime container as root, leading to significant compromise. Attackers can read sensitive files (e.g., .env, API keys, source code), write arbitrary files, inject malicious code, establish reverse shells for persistent access, and potentially escape the container if Docker is misconfigured. This impacts all OpenHands deployments exposing the vulnerable endpoint.
Recommendation
- Upgrade OpenHands to the latest version that includes the fix from PR #13051 to address the command injection vulnerability.
- Deploy the Sigma rule
Detect OpenHands Git Diff Command Injection Attemptto your SIEM to detect exploitation attempts based on shell metacharacters in thepathparameter. - Implement input validation and sanitization for the
pathparameter in the/api/conversations/{conversation_id}/git/diffendpoint to prevent shell metacharacters from being processed.
Detection coverage 2
Detect OpenHands Git Diff Command Injection Attempt
highDetects command injection attempts in the OpenHands Git Diff endpoint by identifying shell metacharacters in the path parameter.
Detect OpenHands Git Diff Suspicious File Path Access
mediumDetects attempts to access sensitive files via the OpenHands Git Diff endpoint, indicating potential command injection exploitation.
Detection queries are available on the platform. Get full rules →