Session Token Vulnerability in code-server by Coder
CVE-2025-47269

8.3HIGH

Key Information:

Vendor

Coder

Status
Code-server
Vendor
CVE Published:
9 May 2025

What is CVE-2025-47269?

A vulnerability in code-server allows an attacker to exploit improperly validated proxy requests to gain access to sensitive session tokens. By using a maliciously crafted URL, an attacker can improperly redirect requests to an arbitrary domain. This manipulation can result in the exfiltration of a user's session cookie if the victim clicks the crafted link while using code-server with the proxy feature enabled. The affected versions prior to 4.99.4 are vulnerable, but this issue has been addressed in the latest release.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

code-server < 4.99.4

References

https://github.com/coder/code-server/security/advisories/...
x_refsource_CONFIRM
https://github.com/coder/code-server/commit/47d6d3ada5aad...
x_refsource_MISC
https://github.com/coder/code-server/releases/tag/v4.99.4
x_refsource_MISC

CVSS V3.1

Score:
8.3
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.