HKUDS OpenHarness Remote Code Execution Vulnerability via Bridge Slash Command

A remote code execution vulnerability has been identified in HKUDS OpenHarness within the bridge slash command. This vulnerability allows remote users, accepted by configuration, to execute arbitrary operating system commands. Attackers can send commands through the /bridge spawn command, which are then forwarded to the bridge session manager and executed via a shared shell subprocess helper. This exploitation enables the attacker to spawn shell sessions as the user running the OpenHarness process, potentially accessing local files, credentials, workspace state, and repository contents.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where OpenHarness is running.

Reproduction

To reproduce this vulnerability, send a message to a channel where the OpenHarness bot is active, using the /bridge spawn command followed by the desired command text. Ensure that the bridge command is not restricted to local use only. The command will be executed on the server as the OpenHarness process user, with access to local files and other sensitive information.

Remediation

Users are advised to update to the latest version of OpenHarness, where this vulnerability has been patched.