CVE-2025-66411 HIGH

CVE-2025-66411: Coder logged sensitive objects unsanitized

Vendor Coder
Product coder
Weakness CWE-532 · Sensitive info in logs
Published December 3, 2025
Last update December 3, 2025

CVSS base score

7.8/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Coder allows organizations to provision remote development environments via Terraform. Prior to 2.26.5, 2.27.7, and 2.28.4, Workspace Agent manifests containing sensitive values were logged in plaintext unsanitized. An attacker with limited local access to the Coder Workspace (VM, K8s Pod etc.) or a third-party system (SIEM, logging stack) could access those logs. This vulnerability is fixed in 2.26.5, 2.27.7, and 2.28.4.

Key dates

02Disclosure timeline

December 3, 2025 CVE published
December 3, 2025 Record updated