{"data":{"id":"dcb15dc3-9540-4f88-b3eb-25d45a3bbaf2","title":"GHSA-2mg2-p7r7-g27f: Coder: Zip upload decompression lacks aggregate size limit, enabling denial of service","summary":"A vulnerability in Coder's file upload feature allows an authenticated user to crash the service by uploading a specially crafted zip file containing many highly compressed entries that consume excessive memory during decompression. The zip file stays under the 100 MiB upload limit, but when decompressed in memory, it exhausts available memory and causes a denial of service (making the service unavailable), though it cannot leak data or execute code.","solution":"Update to a patched version: v2.34.2, v2.33.8, v2.32.7, or v2.29.17 depending on your release line. The fix adds a preflight check that sums projected entry sizes before decompression and enforces an aggregate size limit during the decompression process. Alternatively, restrict file-upload permissions to trusted users only, or place a reverse proxy with request-body size limits in front of the Coder server.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-2mg2-p7r7-g27f","publishedAt":"2026-07-06T21:06:45.000Z","cveId":"CVE-2026-55078","cweIds":null,"cvssScore":null,"cvssSeverity":"medium","severity":"medium","attackType":["denial_of_service"],"issueType":"vulnerability","affectedPackages":["github.com/coder/coder/v2@>= 2.17.0, < 2.29.17 (fixed: 2.29.17)","github.com/coder/coder/v2@>= 2.30.0, < 2.32.7 (fixed: 2.32.7)","github.com/coder/coder/v2@>= 2.33.0, < 2.33.8 (fixed: 2.33.8)","github.com/coder/coder/v2@>= 2.34.0, < 2.34.2 (fixed: 2.34.2)"],"affectedVendors":[],"affectedVendorsRaw":["Coder"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":true,"disclosureDate":"2026-07-06T21:06:45.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"trivial","impactType":["availability"],"aiComponentTargeted":null,"llmSpecific":false,"classifierConfidence":0.75,"researchCategory":null,"atlasIds":null}}