OpenHands AI Controller: Remote Code Execution Risk via Unsafe Pickle Deserialization in State Restoration

A critical security vulnerability in the OpenHands AI controller exposes deployments to remote code execution. The system uses Python's inherently unsafe `pickle.loads()` function to restore agent state and conversation metrics from persistent storage without any integrity checks or deserialization restrictions. This flaw, classified under CWE-502, creates a direct path for an attacker to execute arbitrary code on the server whenever state is restored.

The vulnerability is rooted in two specific code locations within the OpenHands codebase. In `openhands/controller/state/state.py`, the `FileStore.read()` method retrieves a base64-encoded state file, which is then directly passed to `pickle.loads()`. An identical pattern exists in `openhands/server/services/conversation_stats.py` for loading conversation metrics. The `FileStore` abstraction supports multiple backends, including cloud services like Amazon S3 and Google Cloud Storage (GCS), as well as webhook-based stores.

The risk escalates significantly in cloud-based deployments. If an attacker gains write access to a misconfigured storage bucket or can inject a malicious payload through a webhook endpoint, they can plant a crafted pickle file. When the OpenHands controller subsequently loads this poisoned state or metrics file, the malicious code embedded within the pickle payload executes on the host system with the privileges of the application process. This flaw effectively turns a compromised storage backend into a remote code execution vector, bypassing application-level security controls.