x/vulndb: potential Go vuln in github.com/coder/coder/v2: GHSA-3rw9-wmc8-8948 #3921
Description
Advisory GHSA-3rw9-wmc8-8948 references a vulnerability in the following Go modules:
| Module |
|---|
| github.com/coder/coder |
| github.com/coder/coder/v2 |
Description:
Summary
If users log in to Coder via OIDC, and the OpenID Identity Provider does not return a refresh token, then Coder may allow their web session to continue beyond the expiration of the token returned by the OpenID Identity Provider.
Details
When a user logs in via OIDC, Coder stores the OIDC token and refresh token (if any) in its datastore and sets an APIKey in the user's cookies. If there is a refresh token, then when the OIDC token is expired and a request is made with the APIKey, we attempt to refresh the OIDC token. If refresh fails, the Coder API request is also failed and t...
References:
- ADVISORY: GHSA-3rw9-wmc8-8948
- ADVISORY: GHSA-3rw9-wmc8-8948
- FIX: coder/coder@1a41608
Cross references:
- github.com/coder/coder appears in 2 other report(s):
- data/reports/GO-2024-2602.yaml (x/vulndb: potential Go vuln in github.com/coder/coder: GHSA-7cc2-r658-7xpf #2602)
- data/reports/GO-2024-3228.yaml (x/vulndb: potential Go vuln in github.com/coder/coder/v2: GHSA-wcx9-ccpj-hx3c #3228)
- github.com/coder/coder/v2 appears in 2 other report(s):
- data/reports/GO-2024-2602.yaml (x/vulndb: potential Go vuln in github.com/coder/coder: GHSA-7cc2-r658-7xpf #2602)
- data/reports/GO-2024-3228.yaml (x/vulndb: potential Go vuln in github.com/coder/coder/v2: GHSA-wcx9-ccpj-hx3c #3228)
See doc/quickstart.md for instructions on how to triage this report.
id: GO-ID-PENDING
modules:
- module: github.com/coder/coder
vulnerable_at: 0.27.3
- module: github.com/coder/coder/v2
versions:
- fixed: 2.23.0
vulnerable_at: 2.22.1
summary: |-
Coder accepts an APIKey beyond the linked OIDC expiry if there is no refresh
token in github.com/coder/coder
ghsas:
- GHSA-3rw9-wmc8-8948
references:
- advisory: https://github.com/advisories/GHSA-3rw9-wmc8-8948
- advisory: https://github.com/coder/coder/security/advisories/GHSA-3rw9-wmc8-8948
- fix: https://github.com/coder/coder/commit/1a4160803589034ce1518e24a78f232c8d08f996
source:
id: GHSA-3rw9-wmc8-8948
created: 2025-08-28T20:01:10.976047184Z
review_status: UNREVIEWED