Kilo-Org Kilocode Path Traversal Vulnerability in File Diff API Endpoint

A path traversal vulnerability has been identified in Kilo-Org Kilocode versions through 7.0.47. The issue arises in the File Diff API Endpoint, specifically within the Bun.file function of the file packages/opencode/src/kilocode/review/worktree-diff.ts. The vulnerability allows remote attackers to manipulate the 'file' argument, leading to arbitrary file read by traversing directories and accessing sensitive files on the server.

Impact

Exploitation of this vulnerability allows for unrestricted arbitrary file read, with potential access to sensitive files such as AWS credentials, API keys, SSH private keys, and OS password files, leading to total system compromise.

Reproduction

To reproduce this vulnerability, upload the provided Python script as 'poc_exploit.py' to a Kilo-Org Kilocode instance running on port 4096. The script sends a request to the vulnerable File Diff API Endpoint, including a path traversal payload that targets the '/etc/passwd' file. The response is then checked for the presence of the requested file contents, demonstrating the successful exploitation of the path traversal vulnerability.