{"data":{"id":"3d6d69ab-481c-4bc8-bca2-613e092392c9","title":"GHSA-f962-qm93-mj4c: Coder's unbounded memory allocation in provisioner file upload allows authenticated denial of service","summary":"A bug in Coder's file upload system allowed authenticated users to cause a denial of service (making a service unavailable) by sending a message with an extremely large declared file size, which the system would try to allocate into memory without checking if it was reasonable. An attacker could crash the entire Coder deployment with a single small message.","solution":"Update to one of the patched versions: v2.34.2, v2.33.8, v2.32.7, or v2.29.17 (depending on your release line). The fix adds a validation check that enforces a maximum file size limit (MaxFileSize = 100 MiB) before memory allocation. Alternatively, as a workaround, restrict access to the provisioner daemon serve endpoint to trusted provisioner daemon service accounts only.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-f962-qm93-mj4c","publishedAt":"2026-07-06T20:54:41.000Z","cveId":"CVE-2026-55079","cweIds":null,"cvssScore":null,"cvssSeverity":"medium","severity":"medium","attackType":["denial_of_service"],"issueType":"vulnerability","affectedPackages":["github.com/coder/coder/v2@>= 2.24.0, < 2.29.17 (fixed: 2.29.17)","github.com/coder/coder/v2@>= 2.30.0, < 2.32.7 (fixed: 2.32.7)","github.com/coder/coder/v2@>= 2.33.0, < 2.33.8 (fixed: 2.33.8)","github.com/coder/coder/v2@>= 2.34.0, < 2.34.2 (fixed: 2.34.2)"],"affectedVendors":["Anthropic"],"affectedVendorsRaw":["Coder","Anthropic"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":true,"disclosureDate":"2026-07-06T20:54:41.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"trivial","impactType":["availability"],"aiComponentTargeted":"inference","llmSpecific":false,"classifierConfidence":0.85,"researchCategory":null,"atlasIds":null}}