CVE-2026-55079 PUBLISHED

Coder's unbounded memory allocation in provisioner file upload allows authenticated denial of service

Assigner: GitHub_M
Reserved: 16.06.2026 Published: 07.07.2026 Updated: 08.07.2026

Coder allows organizations to provision remote development environments via Terraform. Starting in version 2.24.0 and prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, NewDataBuilder in provisionersdk/proto/dataupload.go allocated a byte slice using the client-supplied FileSize from a DataUpload message without an upper-bound check. Although the DRPC wire limit is 4 MiB, the FileSize value itself was unconstrained. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 validates FileSize against an upper bound (MaxFileSize = 100 MiB) before allocation. As a workaround, restrict access to the provisioner daemon serve endpoint to trusted provisioner daemon service accounts.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
CVSS Score: 4.9

Product Status

Vendor coder
Product coder
Versions
  • Version >= 2.34.0, < 2.34.2 is affected
  • Version >= 2.33.0, < 2.33.8 is affected
  • Version >= 2.30.0, < 2.32.7 is affected
  • Version >= 2.24.0, < 2.29.17 is affected

References

Problem Types

  • CWE-789: Memory Allocation with Excessive Size Value CWE