Skip to main content

Coder CVE-2026-55078

MEDIUM
Improper Handling of Highly Compressed Data (Data Amplification) (CWE-409)
2026-07-06 https://github.com/coder/coder GHSA-2mg2-p7r7-g27f
6.5
CVSS 3.1 · Vendor: https://github.com/coder/coder
Share

Severity by source

Vendor (https://github.com/coder/coder) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
6.5 MEDIUM

Network-reachable API endpoint, low-complexity trigger, low-privilege authentication required; availability-only impact with no confidentiality or integrity effect.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/coder/coder).

CVSS VectorVendor: https://github.com/coder/coder

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jul 06, 2026 - 22:34 vuln.today

DescriptionCVE.org

Summary

POST /api/v2/files converts zip uploads to tar in memory via CreateTarFromZip, which enforced a per-entry size limit but no aggregate limit on total decompressed output, writing to an unbounded in-memory buffer.

> Note: Exploitation requires authenticated file-upload access and the impact is limited to availability (denial of service).

Impact

An authenticated user could upload a zip within the 100 MiB upload limit but containing many highly compressible entries whose decompressed size exhausted memory, crashing coderd before any RBAC check. Repeated requests could keep the service unavailable. This is a denial of service; it does not allow data disclosure or code execution.

Patches

The fix adds a metadata preflight check that sums projected entry sizes and a streaming writer that enforces the aggregate limit during decompression.

The fix was backported to all supported release lines:

Release linePatched version
2.34v2.34.2
2.33v2.33.8
2.32v2.32.7
2.29 (ESR)v2.29.17

Workarounds

Restrict file-upload permissions to trusted users or place a reverse proxy with request-body size limits in front of coderd.

Resources

  • Fix: #25877

Credits

Coder would like to thank Anthropic's Security Team (ANT-2026-22438) for independently disclosing this issue!

AnalysisAI

Denial of service in Coder's coderd server allows any authenticated user with file-upload access to exhaust server memory by uploading a crafted zip bomb via POST /api/v2/files, crashing the service before RBAC checks execute. Affected versions span all supported release lines prior to v2.34.2, v2.33.8, v2.32.7, and v2.29.17 (ESR). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to coderd with low-privilege account
Delivery
Craft zip bomb within 100 MiB HTTP limit
Exploit
POST archive to /api/v2/files endpoint
Execution
Trigger unbounded in-memory decompression via CreateTarFromZip
Persist
Exhaust server RAM before RBAC check
Impact
Crash coderd, denying service to all users

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid authenticated session with file-upload access to the coderd API (POST /api/v2/files). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) accurately characterizes this as a medium-severity, network-exploitable denial of service requiring low-privilege authentication - not a critical emergency. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated Coder user with minimal permissions crafts a zip archive under 100 MiB containing thousands of highly compressible entries (e.g., files filled with null bytes or repeated patterns) whose aggregate decompressed size is multiple gigabytes. They POST this archive to the coderd /api/v2/files endpoint repeatedly; each request causes the server to decompress all entries into an unbounded in-memory buffer, rapidly exhausting available RAM and crashing the coderd process, rendering the Coder deployment unavailable to all users. …
Remediation Upgrade to the vendor-released patched versions: v2.34.2 for the 2.34 release line, v2.33.8 for 2.33, v2.32.7 for 2.32, or v2.29.17 for the 2.29 ESR line. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-55078 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy