GHSA-mcqq-fqgf-rxwm: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh`
Summary
Coder's `coder config-ssh` command didn't properly check server-supplied SSH settings (HostnameSuffix, SSHConfigOptions) before writing them to the user's SSH configuration file, allowing a malicious or compromised server to inject arbitrary SSH configuration directives. An attacker controlling the server could inject commands like ProxyCommand to execute arbitrary code on a developer's workstation with that user's privileges.
Solution / Mitigation
Update to a patched version: v2.34.2 (for release line 2.34), v2.33.8 (for 2.33), v2.32.7 (for 2.32), or v2.29.17 (for 2.29 ESR). The fix validates HostnameSuffix and SSHConfigOptions against a strict character set that rejects newlines and other control characters. As a temporary workaround before updating, inspect the output of `coder config-ssh --dry-run` before applying changes.
Vulnerability Details
EPSS: 0.0%
Yes
July 6, 2026
Classification
Taxonomy References
Affected Vendors
Affected Packages
Related Issues
Original source: https://github.com/advisories/GHSA-mcqq-fqgf-rxwm
First tracked: July 6, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 72%