Login Sign Up

CVE-2021-3810

7.5 HIGH
Denial of Service

📋 TL;DR

CVE-2021-3810 is a regular expression denial-of-service (ReDoS) vulnerability in code-server's URL path validation. Attackers can craft malicious URLs that cause excessive CPU consumption, potentially making the service unresponsive. This affects all code-server instances with the vulnerable code.

💻 Affected Systems

Products:
  • code-server
Versions: Versions before 3.12.0
Operating Systems: All platforms running code-server
Default Config Vulnerable: ⚠️ Yes
Notes: All default installations are vulnerable if using affected versions.

📦 What is this software?

Code Server by Coder

View all CVEs affecting Code Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability due to CPU exhaustion, disrupting all users and potentially requiring service restart.

🟠

Likely Case

Degraded performance or temporary unavailability for users accessing the affected endpoint.

🟢

If Mitigated

Minimal impact with proper rate limiting and monitoring in place.

🌐 Internet-Facing: HIGH - Internet-facing instances are directly accessible to attackers.
🏢 Internal Only: MEDIUM - Internal instances are still vulnerable to internal threats or compromised accounts.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires sending specially crafted HTTP requests to vulnerable endpoints.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.12.0 and later

Vendor Advisory: https://github.com/cdr/code-server/security/advisories/GHSA-7x4j-5xjq-8jvh

Restart Required: Yes

Instructions:

1. Stop code-server service. 2. Update to version 3.12.0 or later using your package manager or direct download. 3. Restart code-server service.

🔧 Temporary Workarounds

Implement rate limiting

all

Add rate limiting to HTTP requests to prevent abuse of the vulnerable endpoint.

# Use nginx or similar proxy with rate limiting
limit_req_zone $binary_remote_addr zone=code_server:10m rate=10r/s;
limit_req zone=code_server burst=20 nodelay;

Restrict network access

linux

Limit access to code-server to trusted networks only.

# Example using iptables
iptables -A INPUT -p tcp --dport 8080 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j DROP

🧯 If You Can't Patch

  • Implement Web Application Firewall (WAF) rules to block malicious URL patterns.
  • Monitor CPU usage and set alerts for abnormal spikes to detect potential attacks.

🔍 How to Verify

Check if Vulnerable:

Check code-server version: if version is below 3.12.0, it is vulnerable.

Check Version:

code-server --version

Verify Fix Applied:

Verify version is 3.12.0 or higher and test that crafted URLs no longer cause high CPU usage.

📡 Detection & Monitoring

Log Indicators:

  • Multiple requests to /static/ paths with unusual patterns
  • High CPU usage alerts from monitoring systems

Network Indicators:

  • Unusual volume of HTTP requests to code-server static endpoints
  • Requests with long, repetitive patterns in URL paths

SIEM Query:

source="code-server" AND (url="/static/*" AND url_length>100) | stats count by src_ip

📊 Metadata

CVE ID: CVE-2021-3810
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-1333
Published: September 17, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-3810, you might also want to check these:

CVE-2023-29487 9.1

This CVE describes a denial-of-service vulnerability in Heimdal Thor agent's Threat To Process Corre...

Same vulnerability type (CWE-1333)
CVE-2025-62484 8.1

A regular expression complexity vulnerability in Zoom Workplace Clients allows unauthenticated attac...

Same vulnerability type (CWE-1333)
CVE-2024-4148 7.5

A Regular Expression Denial of Service (ReDoS) vulnerability in lunary-ai/lunary version 1.2.10 allo...

Same vulnerability type (CWE-1333)