CVE-2026-55078

Source
https://cve.org/CVERecord?id=CVE-2026-55078
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-55078.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-55078
Aliases
Published
2026-07-07T22:47:07.079Z
Modified
2026-07-09T04:00:36.289077848Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Coder: Zip upload decompression lacks aggregate size limit, enabling denial of service
Details

Coder allows organizations to provision remote development environments via Terraform. Starting in version 2.17.0 and prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, POST /api/v2/files converts zip uploads to tar in memory via CreateTarFromZip, which enforced a per-entry size limit but no aggregate limit on total decompressed output, writing to an unbounded in-memory buffer. Exploitation requires authenticated file-upload access and the impact is limited to availability (denial of service). The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 adds a metadata preflight check that sums projected entry sizes and a streaming writer that enforces the aggregate limit during decompression. As a workaround, restrict file-upload permissions to trusted users or place a reverse proxy with request-body size limits in front of coderd.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/55xxx/CVE-2026-55078.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-409",
        "CWE-770"
    ]
}
References

Affected packages

Git / github.com/coder/coder

Affected ranges

Type
GIT
Repo
https://github.com/coder/coder
Events
Database specific
{
    "extracted_events": [
        {
            "introduced": "2.34.0"
        },
        {
            "fixed": "2.34.2"
        },
        {
            "introduced": "2.33.0"
        },
        {
            "fixed": "2.33.8"
        },
        {
            "introduced": "2.30.0"
        },
        {
            "fixed": "2.32.7"
        },
        {
            "introduced": "2.17.0"
        },
        {
            "fixed": "2.29.17"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ]
}

Affected versions

v2.*
v2.33.0
v2.33.1
v2.33.2
v2.33.3
v2.33.4
v2.33.5
v2.33.6
v2.33.7
v2.34.0
v2.34.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-55078.json"