Headline
GHSA-jf75-p25m-pw74: Coder logs sensitive objects unsanitized
Summary
Workspace Agent manifests containing sensitive values were logged in plaintext unsanitized
Details
By default Workspace Agent logs are redirected to stderr https://github.com/coder/coder/blob/a8862be546f347c59201e2219d917e28121c0edb/cli/agent.go#L432-L439
Workspace Agent Manifests containing sensitive environment variables were logged insecurely https://github.com/coder/coder/blob/7beb95fd56d2f790502e236b64906f8eefb969bd/agent/agent.go#L1090
An attacker with limited local access to the Coder Workspace (VM, K8s Pod etc.) or a third-party system (SIEM, logging stack) could access those logs
This behavior opened room for unauthorized access and privilege escalation
Impact
Impact varies depending on the environment variables set in a given workspace
Patches
Fix was released & backported:
- https://github.com/coder/coder/releases/tag/v2.28.4
- https://github.com/coder/coder/releases/tag/v2.27.7
- https://github.com/coder/coder/releases/tag/v2.26.5
Workarounds
One potential workaround is to disable Workspace Agent Logs by setting following configuration option
CODER_AGENT_LOGGING_HUMAN=/dev/null
platform operators are advised to upgrade their deployments
Skip to content
Navigation Menu
AI CODE CREATION
GitHub CopilotWrite better code with AI
GitHub SparkBuild and deploy intelligent apps
GitHub ModelsManage and compare prompts
MCP RegistryNewIntegrate external tools
View all features
- Pricing
Provide feedback
Saved searches****Use saved searches to filter your results more quickly
Sign up
Appearance settings
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2025-66411
Coder logs sensitive objects unsanitized
High severity GitHub Reviewed Published Dec 3, 2025 in coder/coder • Updated Dec 3, 2025
Package
gomod github.com/coder/coder/v2 (Go)
Affected versions
< 2.26.5
>= 2.27.0, < 2.27.7
>= 2.28.0, < 2.28.4
Patched versions
2.26.5
2.27.7
2.28.4
Description
Published to the GitHub Advisory Database
Dec 3, 2025
EPSS score