GHSA-f5vp-w269-392g: Coder vulnerable to denial of service via unbounded request body in AI Bridge provider endpoints
Summary
Coder's AI Bridge provider endpoints had a vulnerability where they read incoming request bodies without limiting their size, allowing an authenticated user to send extremely large requests that consume all available memory and crash the system (denial of service, a type of attack that makes a service unavailable). This vulnerability only affects versions 2.33 and 2.34 and requires the attacker to already have authenticated access to the AI Bridge feature.
Solution / Mitigation
The fix applies `http.MaxBytesReader` (a setting that caps the maximum size of incoming request data) or an equivalent limit before reading request bodies. Update to v2.34.2 or v2.33.8 depending on your release line.
Vulnerability Details
EPSS: 0.0%
Yes
July 6, 2026
Classification
Affected Vendors
Affected Packages
Related Issues
Original source: https://github.com/advisories/GHSA-f5vp-w269-392g
First tracked: July 6, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 92%