CVE-2025-59956 is a vulnerability in the AgentAPI component of the coder project, affecting versions below 0.4.0. AgentAPI serves as an HTTP API for several AI coding assistants including Claude Code, Goose, Aider, Gemini, Amp, and Codex. The vulnerability stems from the API's reliance on reverse DNS resolution for security-critical decisions, classified under CWE-350. When hosted over plain HTTP on localhost, this trust in reverse DNS can be exploited via a client-side DNS rebinding attack. DNS rebinding allows an attacker-controlled domain to resolve to localhost IP addresses after initial DNS resolution, bypassing same-origin policies in browsers. By tricking a user into visiting a malicious website, the attacker can cause the browser to send requests to the AgentAPI's /messages endpoint on localhost. This endpoint exposes sensitive local message history, which may include secret keys, file system contents, and intellectual property related to the user's local development environment. The attack requires no authentication but does require user interaction (visiting a malicious site). The vulnerability does not affect versions 0.4.0 and above, where the issue has been fixed. The CVSS 3.1 score is 6.5 (medium), reflecting network attack vector, low attack complexity, no privileges required, user interaction needed, unchanged scope, high confidentiality impact, and no impact on integrity or availability. No known exploits in the wild have been reported yet. The vulnerability highlights the risks of insecure localhost APIs combined with DNS rebinding attacks and improper trust in reverse DNS data.

For European organizations, especially those involved in software development, AI-assisted coding, or using coder's AgentAPI, this vulnerability poses a significant risk of sensitive data leakage. The unauthorized access to local message history can expose secret keys, proprietary code, and intellectual property, potentially leading to intellectual property theft, loss of competitive advantage, and compliance violations under GDPR due to unauthorized data exposure. Attackers can exploit this remotely with minimal complexity, requiring only that a user visits a malicious website. This risk is amplified in environments where developers use AgentAPI on their local machines without HTTPS or proper access controls. The confidentiality impact is high, but integrity and availability remain unaffected. The vulnerability could also facilitate further attacks if secret keys or credentials are exfiltrated. Organizations with remote or hybrid work models may be more vulnerable due to increased exposure to phishing or malicious websites. The lack of authentication on the API endpoint and reliance on insecure HTTP further exacerbate the threat.

1. Upgrade all AgentAPI deployments to version 0.4.0 or later immediately to apply the official fix. 2. Enforce HTTPS for all localhost API communications to prevent interception and manipulation of DNS responses. 3. Disable reliance on reverse DNS resolution for security decisions within the API or implement strict validation of DNS responses. 4. Implement strict origin and referer header checks to ensure requests to the /messages endpoint originate from trusted sources. 5. Restrict access to the AgentAPI localhost endpoints using firewall rules or local network policies to prevent unauthorized external access. 6. Educate users about the risks of visiting untrusted websites that could trigger DNS rebinding attacks. 7. Monitor network traffic for suspicious DNS rebinding patterns or unexpected localhost API requests. 8. Consider implementing authentication and authorization mechanisms on localhost APIs to prevent unauthorized access. 9. Conduct regular security audits and penetration testing focused on localhost API exposures and DNS-related attack vectors.