CVE-2025-59956 is a medium-severity vulnerability affecting versions 0.3.3 and below of the AgentAPI component developed by coder. AgentAPI is an HTTP API used by several AI coding assistant products such as Claude Code, Goose, Aider, Gemini, Amp, and Codex. The vulnerability arises from a reliance on reverse DNS resolution for security-critical decisions, categorized under CWE-350. Specifically, when AgentAPI is hosted over plain HTTP on localhost, it is susceptible to a client-side DNS rebinding attack. DNS rebinding is a technique where an attacker manipulates DNS responses to make a victim's browser believe that a malicious domain resolves to a trusted local IP address, thereby bypassing same-origin policies. In this case, an attacker can exploit this flaw to access the /messages endpoint of the AgentAPI, which is intended to be accessible only locally. This endpoint contains sensitive user data including local message history, secret keys, file system contents, and intellectual property that the user is working on. The vulnerability does not require authentication but does require user interaction (e.g., visiting a malicious webpage). The CVSS v3.1 score is 6.5, reflecting a network attack vector with low complexity, no privileges required, but user interaction needed. The impact is primarily on confidentiality, with no direct integrity or availability impact. The issue is fixed in AgentAPI version 0.4.0. No known exploits are reported in the wild as of the publication date.

For European organizations, this vulnerability poses a significant risk to confidentiality of sensitive intellectual property and secret keys stored or processed locally by developers using affected AI coding assistants. Since these tools are used to accelerate software development and may handle proprietary code and credentials, unauthorized exfiltration could lead to intellectual property theft, leakage of sensitive credentials, and potential downstream supply chain risks. The attack requires user interaction, so phishing or social engineering could be leveraged to lure developers into visiting malicious sites. The fact that the API is hosted on localhost and assumed to be secure by design may lead to a false sense of security, increasing the risk of successful exploitation. Organizations with remote or hybrid workforces using these tools over unsecured networks may be particularly vulnerable. The absence of integrity or availability impact limits the scope to data confidentiality, but the sensitivity of the data involved elevates the concern. The medium severity rating suggests that while not critical, the vulnerability warrants prompt remediation to prevent targeted attacks against valuable development assets.

European organizations should immediately upgrade all instances of AgentAPI to version 0.4.0 or later to eliminate the vulnerability. Until upgrade is possible, organizations should enforce strict network controls to prevent untrusted web content from initiating DNS rebinding attacks, such as implementing DNS pinning or restricting DNS responses to trusted IP ranges. Developers should be educated about the risks of visiting untrusted websites while running vulnerable versions of AgentAPI. Additionally, hosting AgentAPI over HTTPS rather than plain HTTP on localhost can mitigate the attack vector by preventing interception and manipulation of DNS responses. Network segmentation and endpoint protection solutions should monitor for suspicious DNS rebinding patterns. Organizations should also audit the usage of affected AI coding assistants and restrict their use to trusted environments. Finally, sensitive keys and intellectual property should be stored using secure vaults or encrypted containers to reduce exposure in case of local API compromise.