Workspace Agent manifests containing sensitive values were logged in plaintext unsanitized
By default Workspace Agent logs are redirected to stderr
https://github.com/coder/coder/blob/a8862be546f347c59201e2219d917e28121c0edb/cli/agent.go#L432-L439
Workspace Agent Manifests containing sensitive environment variables were logged insecurely
https://github.com/coder/coder/blob/7beb95fd56d2f790502e236b64906f8eefb969bd/agent/agent.go#L1090
An attacker with limited local access to the Coder Workspace (VM, K8s Pod etc.) or a third-party system (SIEM, logging stack) could access those logs
This behavior opened room for unauthorized access and privilege escalation
Impact varies depending on the environment variables set in a given workspace
Fix was released & backported:
- https://github.com/coder/coder/releases/tag/v2.28.4
- https://github.com/coder/coder/releases/tag/v2.27.7
- https://github.com/coder/coder/releases/tag/v2.26.5
One potential workaround is to disable Workspace Agent Logs by setting following configuration option
CODER_AGENT_LOGGING_HUMAN=/dev/null
> platform operators are advised to upgrade their deployments
| Score | Percentile |
|---|---|
| 0.04% | 11.48% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 7.8 | 3.1 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-jf75-p25m-pw74 ↗ |
| CVE | CVE-2025-66411 ↗ |
| CWE id | Name |
|---|---|
| CWE-532 | Insertion of Sensitive Information into Log File |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| go | github.com/coder/coder/v2 | < 2.26.5 | 2.26.5 | — |
| go | github.com/coder/coder/v2 | >= 2.27.0, < 2.27.7 | 2.27.7 | — |
| go | github.com/coder/coder/v2 | >= 2.28.0, < 2.28.4 | 2.28.4 | — |