Insecure Session Handling Vulnerability in Coder by Coder
CVE-2025-58437

8.1HIGH

Key Information:

Vendor

Coder

Status
Coder
Vendor
CVE Published:
6 September 2025

What is CVE-2025-58437?

The vulnerability in Coder arises from insecure session handling within prebuilt workspaces. Specifically, a session token generated for users when initiating a workspace remains active even after a workspace is claimed. This allows a potentially unauthorized user to exploit the session token, leading to unauthorized access or actions on the workspace. Versions prior to 2.24.4 and 2.25.2 contain this flaw. To mitigate this issue, it is crucial to update Coder to the latest versions where this vulnerability has been addressed.

Affected Version(s)

coder >= 2.22.0, < 2.24.4 < 2.22.0, 2.24.4

coder >= 2.25.0, < 2.25.2 < 2.25.0, 2.25.2

References

https://github.com/coder/coder/security/advisories/GHSA-j...
x_refsource_CONFIRM
https://github.com/coder/coder/pull/19667
x_refsource_MISC
https://github.com/coder/coder/pull/19668
x_refsource_MISC

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.