SecBoard
Zurück zur CVE-Übersicht

CVE-2026-55430

MEDIUM(5.8)

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N

Risk Signal Score25/100 — MITTEL
  • CVSS 5.8 — Mittel
  • Weniger als 24 Stunden alt

Beschreibung

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the workspace app proxy resolves the target app from `httpapi.RequestHost()` which prefers the `X-Forwarded-Host` header over the real `Host` header. No middleware strips `X-Forwarded-Host` before routing and the header is not browser-forbidden so client-side JavaScript can set it on `fetch()` calls. Practical exploitation requires subdomain app routing (wildcard hostname) enabled, a victim who visits the attacker's shared app and a deployment whose upstream proxy does not strip `X-Forwarded-Host`. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 trusts `X-Forwarded-Host` only from configured trusted proxies and otherwise resolves the routing host from the verified request host. As a workaround, place an upstream reverse proxy that strips or overwrites `X-Forwarded-Host` on untrusted requests.

GitHub Advisories

GHSA-5g4w-3vw9-478wMEDIUM

Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access

go/github.com/coder/coder/v22.34.2
GitHub Advisory

Referenzen