DNS Rebinding Vulnerability in AgentAPI by Coder
CVE-2025-59956

6.5MEDIUM

Key Information:

Vendor

Coder

Status
Agentapi
Vendor
CVE Published:
29 September 2025

What is CVE-2025-59956?

AgentAPI, an HTTP API for multiple coding tools such as Claude Code and Aider, is vulnerable to a client-side DNS rebinding attack when running over unprotected HTTP on localhost. This vulnerability enables attackers to exploit the /messages endpoint of the API, potentially leading to unauthorized access to sensitive information, including local message history, secret keys, and intellectual property. The security flaw is addressed in version 0.4.0 of AgentAPI, emphasizing the importance of keeping software up to date to mitigate such risks.

Affected Version(s)

agentapi < 0.4.0

References

https://github.com/coder/agentapi/security/advisories/GHS...
x_refsource_CONFIRM
https://github.com/coder/agentapi/pull/49
x_refsource_MISC
https://github.com/coder/agentapi/commit/5c425c62447b8a9e...
x_refsource_MISC

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.