PT-2026-56068 · Coder · Coder

Published

2026-07-06

·

Updated

2026-07-07

·

CVE-2026-55078

CVSS v3.1

6.5

Medium

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Name of the Vulnerable Software and Affected Versions Coder versions 2.17.0 through 2.29.6 Coder versions 2.32.0 through 2.32.6 Coder versions 2.33.0 through 2.33.7 Coder versions 2.34.0 through 2.34.1
Description The POST /api/v2/files endpoint converts zip uploads to tar in memory using the CreateTarFromZip function. While a per-entry size limit was enforced, there was no aggregate limit on the total decompressed output, causing data to be written to an unbounded in-memory buffer. An authenticated user could upload a zip file within the 100 MiB limit containing highly compressible entries that, when decompressed, exhaust system memory and crash the coderd service, leading to a denial of service. This issue does not allow for code execution or data disclosure.
Recommendations Update to version 2.29.17 Update to version 2.32.7 Update to version 2.33.8 Update to version 2.34.2 Restrict file-upload permissions to trusted users. Place a reverse proxy with request-body size limits in front of coderd.

Fix

Allocation of Resources Without Limits

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-55078
GHSA-2MG2-P7R7-G27F
GO-2026-5916

Affected Products

Coder