GHSA-JF75-P25M-PW74

Vulnerability from github – Published: 2025-12-03 16:28 – Updated: 2025-12-04 16:22
VLAI?
Summary
Coder logs sensitive objects unsanitized
Details

Summary

Workspace Agent manifests containing sensitive values were logged in plaintext unsanitized

Details

By default Workspace Agent logs are redirected to stderr https://github.com/coder/coder/blob/a8862be546f347c59201e2219d917e28121c0edb/cli/agent.go#L432-L439

Workspace Agent Manifests containing sensitive environment variables were logged insecurely https://github.com/coder/coder/blob/7beb95fd56d2f790502e236b64906f8eefb969bd/agent/agent.go#L1090

An attacker with limited local access to the Coder Workspace (VM, K8s Pod etc.) or a third-party system (SIEM, logging stack) could access those logs

This behavior opened room for unauthorized access and privilege escalation

Impact

Impact varies depending on the environment variables set in a given workspace

Patches

Fix was released & backported: - https://github.com/coder/coder/releases/tag/v2.28.4 - https://github.com/coder/coder/releases/tag/v2.27.7 - https://github.com/coder/coder/releases/tag/v2.26.5

Workarounds

One potential workaround is to disable Workspace Agent Logs by setting following configuration option CODER_AGENT_LOGGING_HUMAN=/dev/null

platform operators are advised to upgrade their deployments

Severity ?
7.8 (High)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/coder/coder/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.26.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/coder/coder/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.27.0"
            },
            {
              "fixed": "2.27.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/coder/coder/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.28.0"
            },
            {
              "fixed": "2.28.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-66411"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-03T16:28:36Z",
    "nvd_published_at": "2025-12-03T20:16:26Z",
    "severity": "HIGH"
  },
  "details": "## Summary\nWorkspace Agent manifests containing sensitive values were logged in plaintext unsanitized\n\n## Details\nBy default Workspace Agent logs are redirected to [stderr](https://linux.die.net/man/3/stderr)\nhttps://github.com/coder/coder/blob/a8862be546f347c59201e2219d917e28121c0edb/cli/agent.go#L432-L439\n\n[Workspace Agent Manifests](https://coder.com/docs/reference/agent-api/schemas#agentsdkmanifest) containing sensitive environment variables were logged insecurely\nhttps://github.com/coder/coder/blob/7beb95fd56d2f790502e236b64906f8eefb969bd/agent/agent.go#L1090\n\nAn attacker with limited local access to the Coder Workspace (VM, K8s Pod etc.) or a third-party system ([SIEM](https://csrc.nist.gov/glossary/term/security_information_and_event_management_tool), logging stack) could access those logs\n\nThis behavior opened room for unauthorized access and privilege escalation\n\n## Impact\nImpact varies depending on the environment variables set in a given workspace\n\n## Patches\n[Fix](https://github.com/coder/coder/commit/e2a46393fce40bc630df3293c1ee66a596277289) was released \u0026 backported:\n- https://github.com/coder/coder/releases/tag/v2.28.4\n- https://github.com/coder/coder/releases/tag/v2.27.7\n- https://github.com/coder/coder/releases/tag/v2.26.5\n\n## Workarounds\nOne potential workaround is to disable Workspace Agent Logs by setting following configuration option\n`CODER_AGENT_LOGGING_HUMAN=/dev/null` \n\u003e platform operators are advised to upgrade their deployments",
  "id": "GHSA-jf75-p25m-pw74",
  "modified": "2025-12-04T16:22:37Z",
  "published": "2025-12-03T16:28:36Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/coder/coder/security/advisories/GHSA-jf75-p25m-pw74"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66411"
    },
    {
      "type": "WEB",
      "url": "https://github.com/coder/coder/pull/20968"
    },
    {
      "type": "WEB",
      "url": "https://github.com/coder/coder/commit/06c6abbe0935f9213c1588add60a396da5762e1c"
    },
    {
      "type": "WEB",
      "url": "https://github.com/coder/coder/commit/a75205a559211c8aa494b1a16750d114b263f24a"
    },
    {
      "type": "WEB",
      "url": "https://github.com/coder/coder/commit/e2a46393fce40bc630df3293c1ee66a596277289"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/coder/coder"
    },
    {
      "type": "WEB",
      "url": "https://github.com/coder/coder/releases/tag/v2.26.5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/coder/coder/releases/tag/v2.27.7"
    },
    {
      "type": "WEB",
      "url": "https://github.com/coder/coder/releases/tag/v2.28.4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Coder logs sensitive objects unsanitized"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.