Sensitive information stored in logs In github.com/coder/coder/v2
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 go default | github.com/coder/coder/v2 | 2.26.5, 2.27.7, 2.28.4 |
Description
Coder logs sensitive objects unsanitized
Summary
Workspace Agent manifests containing sensitive values were logged in plaintext unsanitized
Details
By default Workspace Agent logs are redirected to stderr https://github.com/coder/coder/blob/a8862be546f347c59201e2219d917e28121c0edb/cli/agent.go#L432-L439
Workspace Agent Manifests containing sensitive environment variables were logged insecurely https://github.com/coder/coder/blob/7beb95fd56d2f790502e236b64906f8eefb969bd/agent/agent.go#L1090
An attacker with limited local access to the Coder Workspace (VM, K8s Pod etc.) or a third-party system (SIEM, logging stack) could access those logs
This behavior opened room for unauthorized access and privilege escalation
Impact
Impact varies depending on the environment variables set in a given workspace
Patches
Fix was released & backported:
https://github.com/coder/coder/releases/tag/v2.28.4
Workarounds
One potential workaround is to disable Workspace Agent Logs by setting following configuration option
CODER_AGENT_LOGGING_HUMAN=/dev/null
platform operators are advised to upgrade their deployments
Mitigation
• go github.com/coder/coder/v2: Upgrade to version(s) 2.26.5, 2.27.7, 2.28.4 or higher.
References
• GitHub Advisory DatabaseSeverity v4.0
5.6
Medium
Fluid Attacks ID
FLAT-H7WC2
CVE ID
CVE-2025-66411CWE ID(s)
CWE-532Alternative ID
GHSA-jf75-p25m-pw74
EPSS
N/A
Percentile
N/A
Source
GitHub Advisory Database
Does your application use this vulnerable software?
During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.