CVE-2025-58437

Sept. 6, 2025, 3:15 a.m.

8.1
High

Description

Coder allows organizations to provision remote development environments via Terraform. In versions 2.22.0 through 2.24.3, 2.25.0 and 2.25.1, Coder can be compromised through insecure session handling in prebuilt workspaces. Coder automatically generates a session token for a user when a workspace is started. It is automatically exposed via coder_workspace_owner.session_token. Prebuilt workspaces are initially owned by a built-in prebuilds system user. When a prebuilt workspace is claimed, a new session token is generated for the user that claimed the workspace, but the previous session token for the prebuilds user was not expired. Any Coder workspace templates that persist this automatically generated session token are potentially impacted. This is fixed in versions 2.24.4 and 2.25.2.

Product(s) Impacted

Vendor Product Versions
Coder
  • Coder
  • 2.22.0, 2.23.0, 2.24.0, 2.24.1, 2.24.2, 2.24.3, 2.25.0, 2.25.1

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-277
Insecure Inherited Permissions
A product defines a set of insecure permissions that are inherited by objects that are created by the program.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a coder coder 2.22.0 / / / / / / /
a coder coder 2.23.0 / / / / / / /
a coder coder 2.24.0 / / / / / / /
a coder coder 2.24.1 / / / / / / /
a coder coder 2.24.2 / / / / / / /
a coder coder 2.24.3 / / / / / / /
a coder coder 2.25.0 / / / / / / /
a coder coder 2.25.1 / / / / / / /

References

https://github.com/coder/coder/commit/06cbb2890f453cd522bb2158a6549afa3419c276
https://github.com/coder/coder/commit/20d67d7d7191a4fd5d36a61c6fc1e23ab59befc0
https://github.com/coder/coder/commit/ec660907faa0b0eae20fa2ba58ce1733f5f4b35a
https://github.com/coder/coder/pull/19667
https://github.com/coder/coder/pull/19668
https://github.com/coder/coder/pull/19669
https://github.com/coder/coder/security/advisories/GHSA-j6xf-jwrj-v5qp

Tags

security-advisories@github.com
CWE-277
2025-09-06
CVE-2025-58437

CVSS Score

8.1 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: LOW
  • Scope: UNCHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: NONE

    • CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

    View Vector String

Timeline

Published: Sept. 6, 2025, 3:15 a.m.
Last Modified: Sept. 6, 2025, 3:15 a.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.