CVE-2025-66411
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-03

Last updated on: 2026-02-13

Assigner: GitHub, Inc.

Description
Coder allows organizations to provision remote development environments via Terraform. Prior to 2.26.5, 2.27.7, and 2.28.4, Workspace Agent manifests containing sensitive values were logged in plaintext unsanitized. An attacker with limited local access to the Coder Workspace (VM, K8s Pod etc.) or a third-party system (SIEM, logging stack) could access those logs. This vulnerability is fixed in 2.26.5, 2.27.7, and 2.28.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-03
Last Modified
2026-02-13
Generated
2026-06-16
AI Q&A
2025-12-03
EPSS Evaluated
2026-06-15
NVD
CVE-2025-66411
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
coder coder to 2.26.5 (exc)
coder coder From 2.27.0 (inc) to 2.27.7 (exc)
coder coder From 2.28.0 (inc) to 2.28.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-532 The product writes sensitive information to a log file.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability involves Coder's Workspace Agent logging manifests that contain sensitive values in plaintext without sanitization. This means that sensitive information could be exposed in logs. An attacker with limited local access to the Coder Workspace environment or access to third-party systems that collect these logs could retrieve sensitive data from these logs.

Impact Analysis

The vulnerability can lead to unauthorized disclosure of sensitive information through logs. An attacker with limited local access or access to logging systems could obtain sensitive data, potentially leading to data breaches, loss of confidentiality, and further exploitation of the environment.

Mitigation Strategies

Upgrade Coder Workspace Agent to version 2.26.5, 2.27.7, or 2.28.4 or later, as these versions contain the fix for the vulnerability where sensitive values in Workspace Agent manifests were logged in plaintext.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-66411. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart