CVE-2025-66411

HIGH7.8EPSS 0.04%

Coder logs sensitive objects unsanitized

發布日:2025/12/3修改日:2025/12/9
也稱為:GHSA-jf75-p25m-pw74GO-2025-4182

描述

## Summary Workspace Agent manifests containing sensitive values were logged in plaintext unsanitized ## Details By default Workspace Agent logs are redirected to [stderr](https://linux.die.net/man/3/stderr) https://github.com/coder/coder/blob/a8862be546f347c59201e2219d917e28121c0edb/cli/agent.go#L432-L439 [Workspace Agent Manifests](https://coder.com/docs/reference/agent-api/schemas#agentsdkmanifest) containing sensitive environment variables were logged insecurely https://github.com/coder/coder/blob/7beb95fd56d2f790502e236b64906f8eefb969bd/agent/agent.go#L1090 An attacker with limited local access to the Coder Workspace (VM, K8s Pod etc.) or a third-party system ([SIEM](https://csrc.nist.gov/glossary/term/security_information_and_event_management_tool), logging stack) could access those logs This behavior opened room for unauthorized access and privilege escalation ## Impact Impact varies depending on the environment variables set in a given workspace ## Patches [Fix](https://github.com/coder/coder/commit/e2a46393fce40bc630df3293c1ee66a596277289) was released & backported: - https://github.com/coder/coder/releases/tag/v2.28.4 - https://github.com/coder/coder/releases/tag/v2.27.7 - https://github.com/coder/coder/releases/tag/v2.26.5 ## Workarounds One potential workaround is to disable Workspace Agent Logs by setting following configuration option `CODER_AGENT_LOGGING_HUMAN=/dev/null` > platform operators are advised to upgrade their deployments

受影響套件(3)

CVSS 分數

來源版本嚴重程度向量
osvCVSS 3.1HIGH7.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

參考連結(10)