GHSA-jf75-p25m-pw74
Suggest an improvement- Source
- https://github.com/advisories/GHSA-jf75-p25m-pw74
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-jf75-p25m-pw74/GHSA-jf75-p25m-pw74.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-jf75-p25m-pw74
- Aliases
- Published
- 2025-12-03T16:28:36Z
- Modified
- 2025-12-03T16:58:06.779320Z
- Severity
-
- 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Coder logs sensitive objects unsanitized
- Details
-
Summary
Workspace Agent manifests containing sensitive values were logged in plaintext unsanitized
Details
By default Workspace Agent logs are redirected to stderr https://github.com/coder/coder/blob/a8862be546f347c59201e2219d917e28121c0edb/cli/agent.go#L432-L439
Workspace Agent Manifests containing sensitive environment variables were logged insecurely https://github.com/coder/coder/blob/7beb95fd56d2f790502e236b64906f8eefb969bd/agent/agent.go#L1090
An attacker with limited local access to the Coder Workspace (VM, K8s Pod etc.) or a third-party system (SIEM, logging stack) could access those logs
This behavior opened room for unauthorized access and privilege escalation
Impact
Impact varies depending on the environment variables set in a given workspace
Patches
Fix was released & backported: - https://github.com/coder/coder/releases/tag/v2.28.4 - https://github.com/coder/coder/releases/tag/v2.27.7 - https://github.com/coder/coder/releases/tag/v2.26.5
Workarounds
One potential workaround is to disable Workspace Agent Logs by setting following configuration option
CODER_AGENT_LOGGING_HUMAN=/dev/nullplatform operators are advised to upgrade their deployments
- Database specific
{ "github_reviewed": true, "github_reviewed_at": "2025-12-03T16:28:36Z", "nvd_published_at": null, "severity": "HIGH", "cwe_ids": [ "CWE-532" ] }- References
-
- https://github.com/coder/coder/security/advisories/GHSA-jf75-p25m-pw74
- https://github.com/coder/coder/pull/20968
- https://github.com/coder/coder/commit/06c6abbe0935f9213c1588add60a396da5762e1c
- https://github.com/coder/coder/commit/a75205a559211c8aa494b1a16750d114b263f24a
- https://github.com/coder/coder/commit/e2a46393fce40bc630df3293c1ee66a596277289
- https://github.com/coder/coder
- https://github.com/coder/coder/releases/tag/v2.26.5
- https://github.com/coder/coder/releases/tag/v2.27.7
- https://github.com/coder/coder/releases/tag/v2.28.4
Affected packages
Go / github.com/coder/coder/v2
Package
- Name
- github.com/coder/coder/v2
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/coder/coder/v2
Go / github.com/coder/coder/v2
Package
- Name
- github.com/coder/coder/v2
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/coder/coder/v2
Go / github.com/coder/coder/v2
Package
- Name
- github.com/coder/coder/v2
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/coder/coder/v2