<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Openhands - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/openhands/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 02 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/openhands/feed.xml" rel="self" type="application/rss+xml"/><item><title>OpenHands Command Injection Vulnerability in Git Diff Handler</title><link>https://feed.craftedsignal.io/briefs/2024-01-02-openhands-command-injection/</link><pubDate>Tue, 02 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-02-openhands-command-injection/</guid><description>A command injection vulnerability exists in OpenHands' `get_git_diff()` method, allowing authenticated attackers to execute arbitrary commands in the agent sandbox via the `/api/conversations/{conversation_id}/git/diff` endpoint by exploiting the unsanitized `path` parameter.</description><content:encoded><![CDATA[<p>OpenHands is vulnerable to command injection due to insufficient sanitization of the <code>path</code> parameter in the <code>/api/conversations/{conversation_id}/git/diff</code> API endpoint. This endpoint, handled by the <code>get_git_diff()</code> method within <code>openhands/runtime/utils/git_handler.py</code>, allows authenticated users to pass arbitrary commands to the underlying shell.  The vulnerability exists because the <code>file_path</code> parameter is directly interpolated into a shell command string using Python's <code>.format()</code> method without sanitization, allowing for the interpretation of shell metacharacters. This bypasses the normal agent command execution channels and provides a direct path for attackers to execute code within the agent sandbox.  The affected versions are pip/openhands &lt; 1.5.0. This vulnerability was reported on 2026-03-25.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An authenticated user sends a crafted HTTP GET request to the <code>/api/conversations/{conversation_id}/git/diff</code> endpoint.</li>
<li>The request includes a malicious <code>path</code> parameter containing shell metacharacters (e.g., <code>;</code>, <code>|</code>, <code>&amp;</code>).</li>
<li>The <code>git_diff</code> function in <code>openhands/server/routes/files.py</code> receives the <code>path</code> parameter.</li>
<li>The <code>path</code> parameter is passed unsanitized to the <code>runtime.get_git_diff</code> function.</li>
<li>The <code>get_git_diff</code> function in <code>openhands/runtime/base.py</code> then calls <code>self.git_handler.get_git_diff(file_path)</code>.</li>
<li>Within <code>openhands/runtime/utils/git_handler.py</code>, the <code>file_path</code> is directly inserted into the <code>GIT_DIFF_CMD</code> string using <code>.format()</code> without sanitization.</li>
<li>The resulting command string is executed via <code>subprocess.run</code> with <code>shell=True</code> in <code>openhands/runtime/utils/git_diff.py</code>, enabling shell metacharacter interpretation.</li>
<li>The attacker-supplied commands are executed on the system, achieving arbitrary code execution.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation allows attackers to execute arbitrary commands on the runtime container as root, leading to significant compromise.  Attackers can read sensitive files (e.g., <code>.env</code>, API keys, source code), write arbitrary files, inject malicious code, establish reverse shells for persistent access, and potentially escape the container if Docker is misconfigured. This impacts all OpenHands deployments exposing the vulnerable endpoint.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade OpenHands to the latest version that includes the fix from PR #13051 to address the command injection vulnerability.</li>
<li>Deploy the Sigma rule <code>Detect OpenHands Git Diff Command Injection Attempt</code> to your SIEM to detect exploitation attempts based on shell metacharacters in the <code>path</code> parameter.</li>
<li>Implement input validation and sanitization for the <code>path</code> parameter in the <code>/api/conversations/{conversation_id}/git/diff</code> endpoint to prevent shell metacharacters from being processed.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>command-injection</category><category>web-application</category><category>openhands</category></item></channel></rss>