CVE-2025-58437
HIGHDescription
Coder allows organizations to provision remote development environments via Terraform. In versions 2.22.0 through 2.24.3, 2.25.0 and 2.25.1, Coder can be compromised through insecure session handling in prebuilt workspaces. Coder automatically generates a session token for a user when a workspace is started. It is automatically exposed via coder_workspace_owner.session_token. Prebuilt workspaces are initially owned by a built-in prebuilds system user. When a prebuilt workspace is claimed, a new session token is generated for the user that claimed the workspace, but the previous session token for the prebuilds user was not expired. Any Coder workspace templates that persist this automatically generated session token are potentially impacted. This is fixed in versions 2.24.4 and 2.25.2.
CVSS v3 Vector
Exploitability
Impact
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Exploit Intelligence
Low risk: more likely to be exploited than 27% of all known CVEs.
References
- https://github.com/coder/coder/commit/06cbb2890f453cd522bb2158a6549afa3419c276
- https://github.com/coder/coder/commit/20d67d7d7191a4fd5d36a61c6fc1e23ab59befc0
- https://github.com/coder/coder/commit/ec660907faa0b0eae20fa2ba58ce1733f5f4b35a
- https://github.com/coder/coder/pull/19667
- https://github.com/coder/coder/pull/19668
- https://github.com/coder/coder/pull/19669
- https://github.com/coder/coder/security/advisories/GHSA-j6xf-jwrj-v5qp
Find and fix vulnerabilities across your fleet
TridentStack Control continuously scans your Windows, macOS, and Linux fleet for known vulnerabilities, prioritizes them by severity and active exploitation, and patches them automatically.
Start freeThis product uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog. Data as of 2025-10-17.