Impact
The vulnerability resides in the dotfiles registry module of Coder, where user input is passed directly to shell commands without sanitization. An attacker can supply a crafted dotfiles_uri containing shell command substitution such as $(…); that value is executed inside a provisioned workspace. The result is arbitrary command execution within that workspace, giving the attacker the same privileges as the user who created the workspace and allowing the attacker to run any commands on the workspace host, potentially exposing workspace data or installing malware.
Affected Systems
In Coder versions prior to 2.29.7 for the 2.30.x series and before 2.30.2, any organization that enabled the dotfiles module is vulnerable. Users who have the ability to provision workspaces via the Create Workspace page and who can use the mode=auto deep link are at risk. The vulnerability is mitigated in Coder v2.29.7 and v2.30.2 where input validation rejects special characters and the unsafe eval/sh‑c usage has been removed.
Risk and Exploitability
The CVSS score of 8.1 indicates a high severity, and although no EPSS value is provided, the vulnerability can be exploited through a simple crafted URL that automatically provisions a workspace with a malicious dotfiles_uri. The attack does not require privileged access beyond the ability to create workspaces, and it bypasses explicit user confirmation. The absence of a KEV listing suggests no confirmed widespread exploitation yet, but the auto‑provisioning via a deep link is straightforward. As a result, the risk to any Coder installation that has not yet applied the fixed versions is significant and a timely patch is recommended.
OpenCVE Enrichment
Github GHSA