A high-severity vulnerability has been discovered in multiple Coder products, which could allow an authenticated attacker to gain unauthorized control over remote development environments. Successful exploitation could lead to the theft of source code, injection of malicious code into the software supply chain, and unauthorized access to sensitive company infrastructure. Immediate application of vendor-provided security updates is required to mitigate this significant risk.

This vulnerability is an improper input validation flaw within the Terraform provisioning engine used by Coder. An authenticated attacker with low-level privileges, such as the ability to define a development workspace, can craft a malicious Terraform configuration file. By embedding specially crafted commands or arguments within the configuration parameters, the attacker can bypass validation checks and achieve remote code execution on the underlying Coder server or within the context of the provisioned development environment, effectively escalating their privileges.

This vulnerability presents a high severity risk with a CVSS score of 8.1. Exploitation could have severe consequences for the organization, including the complete compromise of development environments, which often contain proprietary source code, API keys, and other sensitive credentials. An attacker could exfiltrate intellectual property, disrupt critical development and testing workflows, or, in a worst-case scenario, inject malicious code into the organization's software products, leading to a supply chain attack that impacts downstream customers. The potential for data breaches, reputational damage, and significant financial loss is substantial.

Immediate Action: The primary and most effective remediation is to apply the security updates released by Coder across all affected instances immediately. After patching, it is crucial to review access and audit logs for any signs of compromise that may have occurred prior to the update, such as unusual workspace provisioning or suspicious commands executed via Terraform.

Proactive Monitoring: Implement enhanced monitoring on Coder instances and related infrastructure. Security teams should look for anomalies in Coder's audit logs, specifically focusing on unusual or malformed Terraform configurations. Monitor host systems for unexpected processes spawned by the Coder service and scrutinize outbound network traffic from development environments for connections to unauthorized or suspicious destinations.

Compensating Controls: If immediate patching is not feasible, implement the following compensating controls to reduce risk:

• Restrict user permissions to the absolute minimum required for their roles, limiting who can create or modify workspace templates.
• Enforce a mandatory peer-review process for all changes to Terraform configurations before they are applied.
• Utilize a Web Application Firewall (WAF) to inspect and block malicious patterns in traffic destined for the Coder web interface.
• Isolate the Coder platform and its provisioned environments in a segmented network to limit the potential blast radius of a compromise.

Public Exploit Available: false

Given the High severity (CVSS 8.1) of CVE-2025-58437 and its direct impact on critical development infrastructure, this vulnerability requires immediate attention. The potential for a supply chain compromise elevates this beyond a typical infrastructure flaw. We strongly recommend that all organizations using affected Coder products prioritize the deployment of the vendor-supplied patches to their entire environment without delay. While this vulnerability is not currently on the CISA KEV list, its characteristics make it a strong candidate for future inclusion. If patching is delayed, the compensating controls outlined above should be implemented as an urgent temporary measure.