Coder CVE-2026-55078
MEDIUMSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Network-reachable API endpoint, low-complexity trigger, low-privilege authentication required; availability-only impact with no confidentiality or integrity effect.
Primary rating from Vendor (https://github.com/coder/coder).
CVSS VectorVendor: https://github.com/coder/coder
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionCVE.org
Summary
POST /api/v2/files converts zip uploads to tar in memory via CreateTarFromZip, which enforced a per-entry size limit but no aggregate limit on total decompressed output, writing to an unbounded in-memory buffer.
> Note: Exploitation requires authenticated file-upload access and the impact is limited to availability (denial of service).
Impact
An authenticated user could upload a zip within the 100 MiB upload limit but containing many highly compressible entries whose decompressed size exhausted memory, crashing coderd before any RBAC check. Repeated requests could keep the service unavailable. This is a denial of service; it does not allow data disclosure or code execution.
Patches
The fix adds a metadata preflight check that sums projected entry sizes and a streaming writer that enforces the aggregate limit during decompression.
The fix was backported to all supported release lines:
Workarounds
Restrict file-upload permissions to trusted users or place a reverse proxy with request-body size limits in front of coderd.
Resources
- Fix: #25877
Credits
Coder would like to thank Anthropic's Security Team (ANT-2026-22438) for independently disclosing this issue!
AnalysisAI
Denial of service in Coder's coderd server allows any authenticated user with file-upload access to exhaust server memory by uploading a crafted zip bomb via POST /api/v2/files, crashing the service before RBAC checks execute. Affected versions span all supported release lines prior to v2.34.2, v2.33.8, v2.32.7, and v2.29.17 (ESR). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid authenticated session with file-upload access to the coderd API (POST /api/v2/files). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) accurately characterizes this as a medium-severity, network-exploitable denial of service requiring low-privilege authentication - not a critical emergency. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated Coder user with minimal permissions crafts a zip archive under 100 MiB containing thousands of highly compressible entries (e.g., files filled with null bytes or repeated patterns) whose aggregate decompressed size is multiple gigabytes. They POST this archive to the coderd /api/v2/files endpoint repeatedly; each request causes the server to decompress all entries into an unbounded in-memory buffer, rapidly exhausting available RAM and crashing the coderd process, rendering the Coder deployment unavailable to all users. … |
| Remediation | Upgrade to the vendor-released patched versions: v2.34.2 for the 2.34 release line, v2.33.8 for 2.33, v2.32.7 for 2.32, or v2.29.17 for the 2.29 ESR line. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-2mg2-p7r7-g27f