PT-2026-56068 · Coder · Coder
Published
2026-07-06
·
Updated
2026-07-07
·
CVE-2026-55078
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
Coder versions 2.17.0 through 2.29.6
Coder versions 2.32.0 through 2.32.6
Coder versions 2.33.0 through 2.33.7
Coder versions 2.34.0 through 2.34.1
Description
The
POST /api/v2/files endpoint converts zip uploads to tar in memory using the CreateTarFromZip function. While a per-entry size limit was enforced, there was no aggregate limit on the total decompressed output, causing data to be written to an unbounded in-memory buffer. An authenticated user could upload a zip file within the 100 MiB limit containing highly compressible entries that, when decompressed, exhaust system memory and crash the coderd service, leading to a denial of service. This issue does not allow for code execution or data disclosure.Recommendations
Update to version 2.29.17
Update to version 2.32.7
Update to version 2.33.8
Update to version 2.34.2
Restrict file-upload permissions to trusted users.
Place a reverse proxy with request-body size limits in front of
coderd.Fix
Allocation of Resources Without Limits
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Coder