Kilo-Org Kilocode Environment Variable Handler Information Disclosure Vulnerability

An information disclosure vulnerability has been identified in Kilo-Org Kilocode versions through 7.0.47. The issue arises in the Environment Variable Handler, specifically within the Load function of the config.ts file in the opencode package. The vulnerability allows for arbitrary file reading by manipulating the KILO_CONFIG_CONTENT environment variable. This flaw can be exploited remotely, leading to the leakage of sensitive information such as API keys, AWS credentials, or SSH private keys.

Impact

Exploitation of this vulnerability allows for arbitrary file reading, with the potential to access highly sensitive information. The leaked data can include environment configuration files, API keys, AWS credentials, or SSH private keys. In CI/CD pipelines, this could lead to significant access escalation.

Reproduction

To reproduce this vulnerability, set the KILO_CONFIG_CONTENT environment variable with a JSON string that includes an invalid key name surrounding the {file:/path} token syntax. Then, run the Kilocode CLI, ensuring that the application logs are printed. The targeted file's content will be read and displayed in the error log, immediately before the application exits.