Coder logged sensitive objects unsanitized_CVE-2025-66411

7.8 / 10

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

Coder allows organizations to provision remote development environments via Terraform. Prior to 2.26.5, 2.27.7, and 2.28.4, Workspace Agent manifests containing sensitive values were logged in plaintext unsanitized. An attacker with limited local access to the Coder Workspace (VM, K8s Pod etc.) or a third-party system (SIEM, logging stack) could access those logs. This vulnerability is fixed in 2.26.5, 2.27.7, and 2.28.4.

Basic Information

ID CVE-2025-66411

Source GitHub_M

Published Dec 3, 2025 at 19:25

Modified Dec 3, 2025 at 21:42

Affected Product

Vendor coder

Product coder

Version >= 2.28.0, < 2.28.4

Affected Versions coder coder >= 2.28.0, < 2.28.4
coder coder >= 2.27.0, < 2.27.7
coder coder < 2.26.5

CWE Classification

CWE-532

References

{
    "lastseen": "",
    "description": "Coder allows organizations to provision remote development environments via Terraform. Prior to 2.26.5, 2.27.7, and 2.28.4, Workspace Agent manifests containing sensitive values were logged in plaintext unsanitized. An attacker with limited local access to the Coder Workspace (VM, K8s Pod etc.) or a third-party system (SIEM, logging stack) could access those logs. This vulnerability is fixed in 2.26.5, 2.27.7, and 2.28.4.",
    "published": "2025-12-03T19:25:24.207Z",
    "modified": "2025-12-03T21:42:17.349Z",
    "type": "cve",
    "title": "Coder logged sensitive objects unsanitized",
    "source": "GitHub_M",
    "references": "https://github.com/coder/coder/security/advisories/GHSA-jf75-p25m-pw74\nhttps://github.com/coder/coder/commit/e2a46393fce40bc630df3293c1ee66a596277289\nhttps://github.com/coder/coder/releases/tag/v2.26.5\nhttps://github.com/coder/coder/releases/tag/v2.27.7\nhttps://github.com/coder/coder/releases/tag/v2.28.4",
    "id": "CVE-2025-66411",
    "bulletinFamily": "",
    "cwe": [
        "CWE-532"
    ],
    "cvelist": null,
    "sourceData": "coder coder >= 2.28.0, < 2.28.4\ncoder coder >= 2.27.0, < 2.27.7\ncoder coder < 2.26.5",
    "sourceHref": "",
    "cvss": {
        "score": 7.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "coder",
    "version": ">= 2.28.0, < 2.28.4",
    "vendor": "coder",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}