{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/openhands/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["OpenHands"],"_cs_severities":["high"],"_cs_tags":["command-injection","web-application","openhands"],"_cs_type":"advisory","_cs_vendors":["OpenHands"],"content_html":"\u003cp\u003eOpenHands is vulnerable to command injection due to insufficient sanitization of the \u003ccode\u003epath\u003c/code\u003e parameter in the \u003ccode\u003e/api/conversations/{conversation_id}/git/diff\u003c/code\u003e API endpoint. This endpoint, handled by the \u003ccode\u003eget_git_diff()\u003c/code\u003e method within \u003ccode\u003eopenhands/runtime/utils/git_handler.py\u003c/code\u003e, allows authenticated users to pass arbitrary commands to the underlying shell.  The vulnerability exists because the \u003ccode\u003efile_path\u003c/code\u003e parameter is directly interpolated into a shell command string using Python's \u003ccode\u003e.format()\u003c/code\u003e method without sanitization, allowing for the interpretation of shell metacharacters. This bypasses the normal agent command execution channels and provides a direct path for attackers to execute code within the agent sandbox.  The affected versions are pip/openhands \u0026lt; 1.5.0. This vulnerability was reported on 2026-03-25.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authenticated user sends a crafted HTTP GET request to the \u003ccode\u003e/api/conversations/{conversation_id}/git/diff\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe request includes a malicious \u003ccode\u003epath\u003c/code\u003e parameter containing shell metacharacters (e.g., \u003ccode\u003e;\u003c/code\u003e, \u003ccode\u003e|\u003c/code\u003e, \u003ccode\u003e\u0026amp;\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003egit_diff\u003c/code\u003e function in \u003ccode\u003eopenhands/server/routes/files.py\u003c/code\u003e receives the \u003ccode\u003epath\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003epath\u003c/code\u003e parameter is passed unsanitized to the \u003ccode\u003eruntime.get_git_diff\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eget_git_diff\u003c/code\u003e function in \u003ccode\u003eopenhands/runtime/base.py\u003c/code\u003e then calls \u003ccode\u003eself.git_handler.get_git_diff(file_path)\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eWithin \u003ccode\u003eopenhands/runtime/utils/git_handler.py\u003c/code\u003e, the \u003ccode\u003efile_path\u003c/code\u003e is directly inserted into the \u003ccode\u003eGIT_DIFF_CMD\u003c/code\u003e string using \u003ccode\u003e.format()\u003c/code\u003e without sanitization.\u003c/li\u003e\n\u003cli\u003eThe resulting command string is executed via \u003ccode\u003esubprocess.run\u003c/code\u003e with \u003ccode\u003eshell=True\u003c/code\u003e in \u003ccode\u003eopenhands/runtime/utils/git_diff.py\u003c/code\u003e, enabling shell metacharacter interpretation.\u003c/li\u003e\n\u003cli\u003eThe attacker-supplied commands are executed on the system, achieving arbitrary code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to execute arbitrary commands on the runtime container as root, leading to significant compromise.  Attackers can read sensitive files (e.g., \u003ccode\u003e.env\u003c/code\u003e, API keys, source code), write arbitrary files, inject malicious code, establish reverse shells for persistent access, and potentially escape the container if Docker is misconfigured. This impacts all OpenHands deployments exposing the vulnerable endpoint.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenHands to the latest version that includes the fix from PR #13051 to address the command injection vulnerability.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect OpenHands Git Diff Command Injection Attempt\u003c/code\u003e to your SIEM to detect exploitation attempts based on shell metacharacters in the \u003ccode\u003epath\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization for the \u003ccode\u003epath\u003c/code\u003e parameter in the \u003ccode\u003e/api/conversations/{conversation_id}/git/diff\u003c/code\u003e endpoint to prevent shell metacharacters from being processed.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-02-openhands-command-injection/","summary":"A command injection vulnerability exists in OpenHands' `get_git_diff()` method, allowing authenticated attackers to execute arbitrary commands in the agent sandbox via the `/api/conversations/{conversation_id}/git/diff` endpoint by exploiting the unsanitized `path` parameter.","title":"OpenHands Command Injection Vulnerability in Git Diff Handler","url":"https://feed.craftedsignal.io/briefs/2024-01-02-openhands-command-injection/"}],"language":"en","title":"CraftedSignal Threat Feed - Openhands","version":"https://jsonfeed.org/version/1.1"}