Miggo Logo
Miggo Vulnerability Database
CVE-2025-59956

CVE-2025-59956: Coder AgentAPI exposed user chat history via a DNS rebinding attack

6.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2025-59956
GHSA ID
GHSA-w64r-2g3w-w8w4
EPSS Score
-
CWE
CWE-350
Published
9/29/2025
Updated
9/29/2025
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/coder/agentapigo< 0.4.00.4.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability, identified as GHSA-w64r-2g3w-w8w4, is a DNS rebinding attack in Coder AgentAPI prior to version 0.4.0. The root cause was improper validation of Host and Origin headers for the HTTP server running on localhost. An attacker could craft a malicious webpage that, when visited by a user running the agent, would use DNS rebinding to bypass the browser's same-origin policy. This would allow the malicious site to send requests to the agent's API, specifically targeting the /messages endpoint to exfiltrate sensitive chat history.

The analysis of the patch commit 5c425c62447b8a9eac19e9fc5a2eae7f0803f149 reveals the core of the vulnerability and its fix. The function httpapi.NewServer was identified as the primary vulnerable function because it was responsible for setting up the server with an insecure CORS policy (AllowedOrigins: "*"), effectively trusting requests from any origin. The patch rectifies this by introducing strict Host and Origin header validation.

A new middleware, httpapi.hostAuthorizationMiddleware, was added to enforce Host header validation. This function is called for every incoming request in the patched version. While not present in the vulnerable versions, its addition is the key to the remediation and highlights that the vulnerability lay in the absence of such a check. During an exploit against a vulnerable version, any of the API endpoint handlers, such as getMessages (for the /messages endpoint), would be present in the runtime profile. However, the fundamental flaw is in the server's initial setup (NewServer), which fails to apply the necessary security controls to protect these endpoints.

Vulnerable functions

httpapi.NewServer
lib/httpapi/server.go
This function initializes the HTTP server. Before the patch, it configured a permissive Cross-Origin Resource Sharing (CORS) policy, allowing requests from any origin (`[]string{"*"}`). This misconfiguration is the root cause of the DNS rebinding vulnerability, as it allowed malicious websites to make requests to the agent's API endpoints.
httpapi.hostAuthorizationMiddleware
lib/httpapi/server.go
This function is a new middleware added in the patch to validate the `Host` header of incoming HTTP requests. Its absence in versions prior to the patch is what allowed the DNS rebinding attack to succeed. When the vulnerability is triggered, this function would not be in the stack trace of a vulnerable version, but its introduction in the patched version is direct evidence of the vulnerability's nature: a lack of host validation.

WAF Protection Rules

WAF Rule

### Summ*ry ***nt*PI prior to v*rsion [*.*.*](*ttps://*it*u*.*om/*o**r/***nt*pi/r*l**s*s/t**/v*.*.*) w*s sus**pti*l* to * *li*nt-si** *NS r**in*in* *tt**k w**n *ost** ov*r pl*in *TTP on lo**l*ost. ### Imp**t *n *tt**k*r *oul* **v* **in** ****ss to t

Reasoning

T** vuln*r**ility, i**nti*i** *s **S*-w**r-***w-w*w*, is * *NS r**in*in* *tt**k in *o**r ***nt*PI prior to v*rsion *.*.*. T** root **us* w*s improp*r v*li**tion o* `*ost` *n* `Ori*in` *****rs *or t** *TTP s*rv*r runnin* on lo**l*ost. *n *tt**k*r *oul