GHSA-f962-qm93-mj4c: Coder's unbounded memory allocation in provisioner file upload allows authenticated denial of service
Summary
A bug in Coder's file upload system allowed authenticated users to cause a denial of service (making a service unavailable) by sending a message with an extremely large declared file size, which the system would try to allocate into memory without checking if it was reasonable. An attacker could crash the entire Coder deployment with a single small message.
Solution / Mitigation
Update to one of the patched versions: v2.34.2, v2.33.8, v2.32.7, or v2.29.17 (depending on your release line). The fix adds a validation check that enforces a maximum file size limit (MaxFileSize = 100 MiB) before memory allocation. Alternatively, as a workaround, restrict access to the provisioner daemon serve endpoint to trusted provisioner daemon service accounts only.
Vulnerability Details
EPSS: 0.0%
Yes
July 6, 2026
Classification
Affected Vendors
Affected Packages
Related Issues
Original source: https://github.com/advisories/GHSA-f962-qm93-mj4c
First tracked: July 6, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 85%