I don't know if I missed something, but this CVE isn't that major as it was suggested to be? For one it had to originate from app.opencode.com and even if it didn't most (good) browsers block websites from probing localhost. Yes it is still a pretty bad CVE, but not as critical as some might suggest.