Coder allows organizations to provision remote development environments via Terraform. Starting in version 2.33.0 and prior to versions 2.33.8 and 2.34.2, AI Bridge provider handlers read request bodies with `io.ReadAll` without a maximum size so an authenticated user with AI Bridge access could send an arbitrarily large body and exhaust memory. Exploitation requires authenticated access to the AI Bridge endpoints and the impact is limited to availability (denial of service). Versions 2.33.8 and 2.34.2 patch the issue. No known workarounds are available.
Advisories
| Source | ID | Title |
|---|---|---|
Github GHSA |
GHSA-f5vp-w269-392g | Coder vulnerable to denial of service via unbounded request body in AI Bridge provider endpoints |
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
Tue, 07 Jul 2026 21:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Coder
Coder coder |
|
| Vendors & Products |
Coder
Coder coder |
Tue, 07 Jul 2026 20:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Coder allows organizations to provision remote development environments via Terraform. Starting in version 2.33.0 and prior to versions 2.33.8 and 2.34.2, AI Bridge provider handlers read request bodies with `io.ReadAll` without a maximum size so an authenticated user with AI Bridge access could send an arbitrarily large body and exhaust memory. Exploitation requires authenticated access to the AI Bridge endpoints and the impact is limited to availability (denial of service). Versions 2.33.8 and 2.34.2 patch the issue. No known workarounds are available. | |
| Title | Coder vulnerable to denial of service via unbounded request body in AI Bridge provider endpoints | |
| Weaknesses | CWE-770 | |
| References |
| |
| Metrics |
cvssV3_1
|
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-07T20:14:00.531Z
Reserved: 2026-06-16T21:59:57.017Z
Link: CVE-2026-55434
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-07T21:30:03Z
Weaknesses
Github GHSA