You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Description: packages/opencode/src/mcp/oauth-callback.ts:27-46 — HTML_ERROR function interpolates the error string directly into HTML without escaping. The error value comes from URL query parameters (error, error_description), so an attacker can craft a malicious OAuth callback URL to inject arbitrary HTML/JS. CWE: CWE-79 Severity: High Reproduction: See POC test in PR
Bug Report
Description:
packages/opencode/src/mcp/oauth-callback.ts:27-46—HTML_ERRORfunction interpolates theerrorstring directly into HTML without escaping. The error value comes from URL query parameters (error,error_description), so an attacker can craft a malicious OAuth callback URL to inject arbitrary HTML/JS.CWE: CWE-79
Severity: High
Reproduction: See POC test in PR