CVE-2025-58437

Name of the Vulnerable Software and Affected Versions Coder versions 2.22.0 through 2.24.3 Coder versions 2.25.0 and 2.25.1

Description Coder allows organizations to provision remote development environments via Terraform. In affected versions, Coder can be compromised through insecure session handling in prebuilt workspaces. Coder automatically generates a session token for a user when a workspace is started, exposed via coder workspace owner.session token. When a prebuilt workspace is claimed, a new session token is generated for the user, but the previous session token for the prebuilds system user is not expired. Workspace templates that persist this automatically generated session token are potentially impacted. This could lead to a privilege escalation and cross-workspace compromise.

Recommendations Update to Coder version 2.24.4 or 2.25.2.