CVE-2026-55079

Summary

Coder allows organizations to provision remote development environments via Terraform. Starting in version 2.24.0 and prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, NewDataBuilder in provisionersdk/proto/dataupload.go allocated a byte slice using the client-supplied FileSize from a DataUpload message without an upper-bound check. Although the DRPC wire limit is 4 MiB, the FileSize value itself was unconstrained. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 validates FileSize against an upper bound (MaxFileSize = 100 MiB) before allocation. As a workaround, restrict access to the provisioner daemon serve endpoint to trusted provisioner daemon service accounts.

Affected Software

VendorProductVersion RangeStatus
codercoder>= 2.34.0, < 2.34.2affected
codercoder>= 2.33.0, < 2.33.8affected
codercoder>= 2.30.0, < 2.32.7affected
codercoder>= 2.24.0, < 2.29.17affected

Weaknesses

  • CWE-789: CWE-789: Memory Allocation with Excessive Size Value

References