GHSA-2mg2-p7r7-g27f: Coder: Zip upload decompression lacks aggregate size limit, enabling denial of service
A denial of service vulnerability exists in Coder's zip upload decompression process where the total decompressed size is not limited, allowing an authenticated user to exhaust memory and crash the service. The issue arises because the service enforces a per-entry size limit but lacks an aggregate limit on the total decompressed output, leading to unbounded memory use. Exploitation requires authenticated file upload access and impacts availability only, without disclosure or code execution risks. Fixes have been released in multiple patched versions across supported release lines.
AI Analysis
Technical Summary
The vulnerability in github.com/coder/coder/v2 involves the POST /api/v2/files endpoint converting zip uploads to tar in memory without enforcing an aggregate decompressed size limit. While each zip entry has a size limit, the total decompressed size can exceed memory limits if many highly compressible entries are included. This causes the coderd process to crash before RBAC checks, resulting in denial of service. The fix introduces a metadata preflight check summing projected entry sizes and a streaming writer enforcing the aggregate limit during decompression. Patched versions include v2.34.2, v2.33.8, v2.32.7, and v2.29.17.
Potential Impact
An authenticated user can cause a denial of service by uploading a specially crafted zip file that decompresses to a very large size, exhausting server memory and crashing the coderd process. This leads to service unavailability. There is no impact on confidentiality or integrity, as the vulnerability does not allow data disclosure or code execution.
Mitigation Recommendations
Apply the official patches available in versions v2.34.2, v2.33.8, v2.32.7, and v2.29.17 or later. Until patched, restrict file-upload permissions to trusted users only or deploy a reverse proxy with request-body size limits in front of coderd to limit upload sizes. The vendor has provided official fixes for all supported release lines.
GHSA-2mg2-p7r7-g27f: Coder: Zip upload decompression lacks aggregate size limit, enabling denial of service
Description
A denial of service vulnerability exists in Coder's zip upload decompression process where the total decompressed size is not limited, allowing an authenticated user to exhaust memory and crash the service. The issue arises because the service enforces a per-entry size limit but lacks an aggregate limit on the total decompressed output, leading to unbounded memory use. Exploitation requires authenticated file upload access and impacts availability only, without disclosure or code execution risks. Fixes have been released in multiple patched versions across supported release lines.
CVSS v3.1
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in github.com/coder/coder/v2 involves the POST /api/v2/files endpoint converting zip uploads to tar in memory without enforcing an aggregate decompressed size limit. While each zip entry has a size limit, the total decompressed size can exceed memory limits if many highly compressible entries are included. This causes the coderd process to crash before RBAC checks, resulting in denial of service. The fix introduces a metadata preflight check summing projected entry sizes and a streaming writer enforcing the aggregate limit during decompression. Patched versions include v2.34.2, v2.33.8, v2.32.7, and v2.29.17.
Potential Impact
An authenticated user can cause a denial of service by uploading a specially crafted zip file that decompresses to a very large size, exhausting server memory and crashing the coderd process. This leads to service unavailability. There is no impact on confidentiality or integrity, as the vulnerability does not allow data disclosure or code execution.
Mitigation Recommendations
Apply the official patches available in versions v2.34.2, v2.33.8, v2.32.7, and v2.29.17 or later. Until patched, restrict file-upload permissions to trusted users only or deploy a reverse proxy with request-body size limits in front of coderd to limit upload sizes. The vendor has provided official fixes for all supported release lines.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-2mg2-p7r7-g27f
- Osv Schema Version
- 1.4.0
- Aliases
- ["CVE-2026-55078"]
- Ecosystems
- ["Go"]
- Database Specific Severity
- MODERATE
- Cvss Version
- 3.1
Threat ID: 6a4c340327e9c797195f5f3b
Added to database: 07/06/2026, 23:02:27 UTC
Last enriched: 07/06/2026, 23:12:26 UTC
Last updated: 07/06/2026, 23:12:26 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.