Login Sign Up

CVE-2025-66411

7.8 HIGH

📋 TL;DR

CVE-2025-66411 is an information disclosure vulnerability in Coder where sensitive values in Workspace Agent manifests were logged in plaintext without sanitization. Attackers with local access to Coder Workspace environments (VMs, Kubernetes Pods) or third-party logging systems could access these logs containing sensitive data. Organizations using affected Coder versions for remote development environment provisioning are impacted.

💻 Affected Systems

Products:
  • Coder
Versions: All versions prior to 2.26.5, 2.27.7, and 2.28.4
Operating Systems: All platforms running Coder
Default Config Vulnerable: ⚠️ Yes
Notes: Affects Coder deployments using Workspace Agent manifests with sensitive values. Vulnerability exists in default logging configuration.

📦 What is this software?

Coder by Coder

View all CVEs affecting Coder →

Coder by Coder

View all CVEs affecting Coder →

Coder by Coder

View all CVEs affecting Coder →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain access to sensitive credentials, API keys, or secrets from logged manifests, leading to lateral movement, privilege escalation, or complete environment compromise.

🟠

Likely Case

Internal attackers or compromised systems access sensitive configuration data from logs, potentially enabling further attacks within the development environment.

🟢

If Mitigated

With proper access controls and log monitoring, impact is limited to authorized users who already have some level of access to the environment.

🌐 Internet-Facing: LOW - Exploitation requires local access to Coder Workspace or logging systems, not directly internet-facing.
🏢 Internal Only: HIGH - Internal attackers or compromised systems with local access can exploit this vulnerability to access sensitive data.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW - Requires only local access to view logs containing sensitive data.

Exploitation requires access to Coder Workspace environments or logging systems where manifests are logged.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.26.5, 2.27.7, or 2.28.4

Vendor Advisory: https://github.com/coder/coder/security/advisories/GHSA-jf75-p25m-pw74

Restart Required: Yes

Instructions:

1. Identify your Coder version. 2. Upgrade to 2.26.5 if on 2.26.x, 2.27.7 if on 2.27.x, or 2.28.4 if on 2.28.x. 3. Restart Coder services. 4. Verify logs no longer contain sensitive manifest data.

🔧 Temporary Workarounds

Restrict Log Access

linux

Implement strict access controls on log files and logging systems to prevent unauthorized access.

# Set appropriate permissions on log directories
chmod 750 /var/log/coder/
# Configure log rotation to limit retention
Configure logrotate for Coder logs

Disable Sensitive Logging

all

Configure Coder to exclude sensitive manifest data from logs if patching is not immediately possible.

# Modify Coder logging configuration
coder server --log-level=error # Reduce verbosity
# Review and adjust logging configuration files

🧯 If You Can't Patch

  • Implement strict access controls on Coder Workspace environments and logging systems
  • Monitor and audit access to Coder logs for suspicious activity

🔍 How to Verify

Check if Vulnerable:

Check Coder version and review logs for plaintext sensitive values in Workspace Agent manifests.

Check Version:

coder version

Verify Fix Applied:

After patching, verify logs no longer contain sensitive manifest data and confirm version is 2.26.5, 2.27.7, or 2.28.4.

📡 Detection & Monitoring

Log Indicators:

  • Plaintext sensitive values in Coder logs
  • Workspace Agent manifest data in logs
  • Unauthorized access attempts to log files

Network Indicators:

  • Unusual access patterns to logging systems
  • Data exfiltration from log storage

SIEM Query:

source="coder" AND ("Workspace Agent" OR "manifest") AND ("password" OR "secret" OR "key" OR "token")

📊 Metadata

CVE ID: CVE-2025-66411
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-532
EPSS Score: 0.03% exploit probability (8.5th percentile)
Published: December 3, 2025
Last Updated: February 13, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-66411, you might also want to check these:

CVE-2021-32724 9.9

CVE-2021-32724 is a critical vulnerability in the check-spelling GitHub Action that allows attackers...

Same vulnerability type (CWE-532)
CVE-2022-36407 9.9

This vulnerability allows local users to gain sensitive information through insertion of sensitive d...

Same vulnerability type (CWE-532)
CVE-2025-6391 9.8

Brocade ASCG versions before 3.3.0 log JSON Web Tokens (JWT) in plain text within log files. Attacke...

Same vulnerability type (CWE-532)