CVE-2025-66411

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-66411

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-66411.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2025-66411

Aliases

GHSA-jf75-p25m-pw74

Published

2025-12-03T19:25:24.207Z

Modified

2025-12-04T02:48:32.038541Z

Severity

7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Coder logged sensitive objects unsanitized

Details

Coder allows organizations to provision remote development environments via Terraform. Prior to 2.26.5, 2.27.7, and 2.28.4, Workspace Agent manifests containing sensitive values were logged in plaintext unsanitized. An attacker with limited local access to the Coder Workspace (VM, K8s Pod etc.) or a third-party system (SIEM, logging stack) could access those logs. This vulnerability is fixed in 2.26.5, 2.27.7, and 2.28.4.

Database specific

{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/66xxx/CVE-2025-66411.json",
    "cwe_ids": [
        "CWE-532"
    ]
}

References

Affected packages

Git / github.com/coder/coder

Affected ranges

Type

GIT

Repo

https://github.com/coder/coder

Events

Introduced

1b1e3cb706b899e0779f1561e088ee8cbd3f6aaf

Fixed

e2a46393fce40bc630df3293c1ee66a596277289

Database specific

{
    "versions": [
        {
            "introduced": "2.28.0"
        },
        {
            "fixed": "2.28.4"
        }
    ]
}

Type

GIT

Repo

https://github.com/coder/coder

Events

Introduced

c0cd32c2c4d583423be4cec2a6f9f30209cbce3b

Fixed

06c6abbe0935f9213c1588add60a396da5762e1c

Database specific

{
    "versions": [
        {
            "introduced": "2.27.0"
        },
        {
            "fixed": "2.27.7"
        }
    ]
}

Type

GIT

Repo

https://github.com/coder/coder

Events

Introduced

Fixed

a75205a559211c8aa494b1a16750d114b263f24a

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.26.5"
        }
    ]
}

Affected versions

Other

v0.*

v0.10.0

v0.10.1

v0.10.2

v0.11.0

v0.12.0

v0.12.1

v0.12.2

v0.12.3

v0.12.4

v0.12.5

v0.12.6

v0.12.7

v0.12.8

v0.12.9

v0.13.0

v0.13.1

v0.13.2

v0.13.3

v0.13.4

v0.13.5

v0.13.6

v0.14.0

v0.14.1

v0.14.2

v0.14.3

v0.15.0

v0.15.1

v0.15.2

v0.15.3

v0.16.0

v0.17.0

v0.17.1

v0.17.2

v0.17.3

v0.17.4

v0.18.0

v0.18.1

v0.19.0

v0.19.1

v0.19.2

v0.20.0

v0.20.1

v0.21.0

v0.21.1

v0.21.2

v0.21.3

v0.22.0

v0.22.1

v0.22.2

v0.23.0

v0.23.1

v0.23.2

v0.23.3

v0.23.4

v0.23.5

v0.23.6

v0.23.7

v0.24.0

v0.24.1

v0.25.0

v0.26.0

v0.26.1

v0.26.2

v0.27.0

v0.27.1

v0.3.0

v0.3.1

v0.3.2

v0.3.3

v0.3.4

v0.3.5

v0.4.0

v0.4.1

v0.4.2

v0.4.3

v0.4.4

v0.5.0

v0.5.1

v0.5.10

v0.5.11

v0.5.2

v0.5.3

v0.5.4

v0.5.5

v0.5.6

v0.5.7

v0.5.8

v0.5.9

v0.6.0

v0.6.1

v0.6.2

v0.6.3

v0.6.4

v0.6.5

v0.6.6

v0.7.0

v0.7.1

v0.7.10

v0.7.11

v0.7.12

v0.7.2

v0.7.3

v0.7.4

v0.7.5

v0.7.6

v0.7.7

v0.7.8

v0.7.9

v0.8.0

v0.8.1

v0.8.10

v0.8.11

v0.8.12

v0.8.13

v0.8.14

v0.8.15

v0.8.2

v0.8.3

v0.8.4

v0.8.5

v0.8.6

v0.8.7

v0.8.8

v0.8.9

v0.9.0

v0.9.1

v0.9.10

v0.9.2

v0.9.3

v0.9.4

v0.9.5

v0.9.6

v0.9.7

v0.9.8

v0.9.9

v2.*

v2.0.2

v2.1.1

v2.1.2

v2.1.3

v2.1.4

v2.1.5

v2.10.0

v2.2.1

v2.26.0

v2.26.1

v2.26.2

v2.26.3

v2.26.4

v2.27.0

v2.27.1

v2.27.2

v2.27.3

v2.27.4

v2.27.5

v2.27.6

v2.28.0

v2.28.1

v2.28.2

v2.28.3

v2.3.0

v2.3.1

v2.3.2

v2.3.3

v2.4.0

v2.5.0

v2.5.1

v2.6.0

v2.7.0

v2.7.1

v2.8.0

v2.9.0