GHSA-2mg2-p7r7-g27f: Coder: Zip upload decompression lacks aggregate size limit, enabling denial of service
Summary
A vulnerability in Coder's file upload feature allows an authenticated user to crash the service by uploading a specially crafted zip file containing many highly compressed entries that consume excessive memory during decompression. The zip file stays under the 100 MiB upload limit, but when decompressed in memory, it exhausts available memory and causes a denial of service (making the service unavailable), though it cannot leak data or execute code.
Solution / Mitigation
Update to a patched version: v2.34.2, v2.33.8, v2.32.7, or v2.29.17 depending on your release line. The fix adds a preflight check that sums projected entry sizes before decompression and enforces an aggregate size limit during the decompression process. Alternatively, restrict file-upload permissions to trusted users only, or place a reverse proxy with request-body size limits in front of the Coder server.
Vulnerability Details
EPSS: 0.0%
Yes
July 6, 2026
Classification
Affected Vendors
Affected Packages
Related Issues
CVE-2026-47482: NVIDIA Triton Inference Server for Linux contains a vulnerability where an attacker can cause missing release of memory
CVE-2022-29200: TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implem
Original source: https://github.com/advisories/GHSA-2mg2-p7r7-g27f
First tracked: July 6, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 75%