CVE-2026-55078
Received Received - Intake

Memory Corruption in Coder Remote Dev Environments

Vulnerability report for CVE-2026-55078, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-07

Last updated on: 2026-07-07

Assigner: GitHub, Inc.

Description

Coder allows organizations to provision remote development environments via Terraform. Starting in version 2.17.0 and prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, `POST /api/v2/files` converts zip uploads to tar in memory via `CreateTarFromZip`, which enforced a per-entry size limit but no aggregate limit on total decompressed output, writing to an unbounded in-memory buffer. Exploitation requires authenticated file-upload access and the impact is limited to availability (denial of service). The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 adds a metadata preflight check that sums projected entry sizes and a streaming writer that enforces the aggregate limit during decompression. As a workaround, restrict file-upload permissions to trusted users or place a reverse proxy with request-body size limits in front of `coderd`.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-07
Last Modified
2026-07-07
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Currently, no data is known.

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
CWE-409 The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Coder versions starting from 2.17.0 up to versions before 2.29.7, 2.32.7, 2.33.8, and 2.34.2. It occurs in the `POST /api/v2/files` endpoint, which converts uploaded zip files to tar format in memory. While there is a size limit on each individual entry in the archive, there is no limit on the total decompressed size of all entries combined. This allows an attacker with authenticated file-upload access to cause the system to write to an unbounded in-memory buffer, potentially exhausting system resources.

The vulnerability can be exploited to cause a denial of service by overwhelming the system's memory during decompression.

The issue was fixed in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 by adding a metadata preflight check that sums the projected sizes of all entries and by using a streaming writer that enforces an aggregate size limit during decompression.

As a workaround, it is recommended to restrict file-upload permissions to trusted users or to place a reverse proxy with request-body size limits in front of the affected service.

Impact Analysis

The primary impact of this vulnerability is on availability. An attacker with authenticated file-upload access can exploit the lack of an aggregate decompression size limit to cause a denial of service by consuming excessive memory resources.

There is no impact on confidentiality or integrity, as the vulnerability does not allow unauthorized data access or modification.

Mitigation Strategies

To mitigate this vulnerability immediately, restrict file-upload permissions to trusted users only.

Alternatively, place a reverse proxy with request-body size limits in front of the coderd service to limit the size of uploads.

Also, upgrade to fixed versions 2.29.7, 2.32.7, 2.33.8, or 2.34.2 where the vulnerability is addressed by adding aggregate size limits during decompression.

Compliance Impact

This vulnerability impacts availability by allowing a denial of service through unbounded memory consumption during file decompression. However, there is no indication that it affects confidentiality or integrity of data.

Since the vulnerability does not involve unauthorized data access or data leakage, it is unlikely to directly impact compliance with data protection regulations such as GDPR or HIPAA, which primarily focus on protecting personal data confidentiality and integrity.

Organizations should still address the vulnerability to maintain system availability, which is a component of overall security best practices and may indirectly support compliance efforts.

Detection Guidance

This vulnerability requires authenticated file-upload access to the endpoint POST /api/v2/files in Coder versions starting from 2.17.0 up to but not including 2.29.7, 2.32.7, 2.33.8, and 2.34.2. Detection involves verifying the version of Coder in use and monitoring or restricting access to this API endpoint.

Since exploitation involves uploading zip files that are converted to tar archives without aggregate size limits, one detection approach is to monitor or log file upload requests to /api/v2/files for unusually large or suspicious payloads.

No specific commands or detection scripts are provided in the available information.

As a workaround, restrict file-upload permissions to trusted users or place a reverse proxy with request-body size limits in front of the coderd service to mitigate potential exploitation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55078. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart