CVE-2025-66411
BaseFortify
Publication date: 2025-12-03
Last updated on: 2026-02-13
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| coder | coder | to 2.26.5 (exc) |
| coder | coder | From 2.27.0 (inc) to 2.27.7 (exc) |
| coder | coder | From 2.28.0 (inc) to 2.28.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-532 | The product writes sensitive information to a log file. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves Coder's Workspace Agent logging manifests that contain sensitive values in plaintext without sanitization. This means that sensitive information could be exposed in logs. An attacker with limited local access to the Coder Workspace environment or access to third-party systems that collect these logs could retrieve sensitive data from these logs.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized disclosure of sensitive information through logs. An attacker with limited local access or access to logging systems could obtain sensitive data, potentially leading to data breaches, loss of confidentiality, and further exploitation of the environment.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Coder Workspace Agent to version 2.26.5, 2.27.7, or 2.28.4 or later, as these versions contain the fix for the vulnerability where sensitive values in Workspace Agent manifests were logged in plaintext.