Denial of Service Vulnerability in Coder's Terraform Development Environment
CVE-2026-55078
What is CVE-2026-55078?
The vulnerability in Coder's development environments concerns a flaw in the file upload mechanism. Specifically, when zips are uploaded via the API, the system converts them to tar files in memory. This process correctly applies a size limit per entry but fails to impose a total size limit on the entire decompressed data. As a result, it can lead to an unbounded in-memory buffer allocation, resulting in a Denial of Service condition. Proper mitigation requires updating to safe versions where preflight checks and size limit enforcement mechanisms have been implemented. Organizations running affected versions should restrict user permissions for file uploads or implement reverse proxies to mitigate potential exploitation.
Affected Version(s)
coder >= 2.34.0, < 2.34.2 < 2.34.0, 2.34.2
coder >= 2.33.0, < 2.33.8 < 2.33.0, 2.33.8
coder >= 2.30.0, < 2.32.7 < 2.30.0, 2.32.7
