cbcvebase.

Coder Code-Server vulnerabilities

4 known vulnerabilities affecting coder/code-server.

Total CVEs
4
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH2MEDIUM1

Vulnerabilities

Page 1 of 1
CVE-2025-47269P2HIGHCVSS 8.3fixed in 4.99.42025-05-09
CVE-2025-47269 [HIGH] CWE-441 CVE-2025-47269: code-server runs VS Code on any machine anywhere through browser access. Prior to version 4.99.4, a code-server runs VS Code on any machine anywhere through browser access. Prior to version 4.99.4, a maliciously crafted URL using the proxy subpath can result in the attacker gaining access to the session token. Failure to properly validate the port for a proxy request can result in proxying to an arbitrary domain. The malicious URL `https:///proxy/tes
ghsanvdosv
CVE-2023-26114P3CRITICALCVSS 9.3fixed in 4.10.12023-03-23
CVE-2023-26114 [CRITICAL] CWE-1385 CVE-2023-26114: Versions of the package code-server before 4.10.1 are vulnerable to Missing Origin Validation in Web Versions of the package code-server before 4.10.1 are vulnerable to Missing Origin Validation in WebSockets handshakes. Exploiting this vulnerability can allow an adversary in specific scenarios to access data from and connect to the code-server instance.
ghsanvdosv
CVE-2021-3810P3HIGHCVSS 7.5fixed in 3.12.02021-09-17
CVE-2021-3810 [HIGH] CWE-1333 CVE-2021-3810: code-server is vulnerable to Inefficient Regular Expression Complexity code-server is vulnerable to Inefficient Regular Expression Complexity
ghsanvdosv
CVE-2021-42648P4MEDIUMCVSS 6.1fixed in 3.12.02022-05-11
CVE-2021-42648 [MEDIUM] CWE-79 CVE-2021-42648: Cross-site scripting (XSS) vulnerability exists in Coder Code-Server before 3.12.0, allows attackers Cross-site scripting (XSS) vulnerability exists in Coder Code-Server before 3.12.0, allows attackers to execute arbitrary code via crafted URL.
ghsanvdosv
Coder Code-Server vulnerabilities | cvebase