coder

v2.24.5 Security

This release patches 2 CVEs for security teams tracking exposure across their dependency inventory.

Published 21d Developer Productivity

View tool

2 patched CVEs

Read the diff → Tool health → What is this tool? →

This release patches 2 known CVEs GHSA-686c-7vgv-v3fx GHSA-6x44-w3xg-hqqf

2 CVEs patched

Topics

agents dev-tools development-environment go ide jetbrains

+3 more

remote-development terraform vscode

Affected surfaces

auth crypto_tls

ReleasePort's take

Moderate signal

editorial:auto 13d

ESR v2.24.5 resolves 11 security sub-issues and hardens Azure identity certificate handling by verifying PKCS7 signatures on instance tokens.

Why it matters: Patch to ESR v2.24.5 immediately to remediate the 11 security issues (severity 50) and enable PKCS7 verification for Azure token integrity (severity 90).

Summary

AI summary

Harden Azure identity certificate fetch and verify PKCS7 signature on instance tokens.

Changes in this release

Type	Severity	Summary	CVE
Security
Security	Medium	ESR v2.24.x security remediation fixes 11 sub-issues ESR v2.24.x security remediation fixes 11 sub-issues Source: llm_adapter@2026-05-21 Confidence: high	—
Security	Medium	Harden Azure identity certificate fetch in server Harden Azure identity certificate fetch in server Source: granite4.1:30b@2026-05-22-audit Confidence: low	—
Security	Medium	Verify PKCS7 signature on Azure instance identity tokens Verify PKCS7 signature on Azure instance identity tokens Source: granite4.1:30b@2026-05-22-audit Confidence: low	—
Other	Low	{fact_type":"security","severity":"90","text":"Harden Azure identity certificate fetch in server","affected_surface":"server"},{fact_type":"security","severity":"90","text":"Verify PKCS7 signature on Azure instance identity tokens","affected_surface":"server"}]}Note: The JSON object should be corrected to properly format the facts array. Here is the corrected version without markdown formatting as requested:{ {fact_type":"security","severity":"90","text":"Harden Azure identity certificate fetch in server","affected_surface":"server"},{fact_type":"security","severity":"90","text":"Verify PKCS7 signature on Azure instance identity tokens","affected_surface":"server"}]}Note: The JSON object should be corrected to properly format the facts array. Here is the corrected version without markdown formatting as requested:{ Source: llm_adapter@2026-05-21 Confidence: low	—

Full changelog

Changelog

Bug fixes

ESR v2.24.x security remediation (11 sub-issues) (#25269, 8b8496f09e)
Server: Harden Azure identity certificate fetch (cherry-pick v2.24) (#25280, ddca312142)
Verify PKCS7 signature on Azure instance identity tokens (backport 2.24) (#25309, cc4907395b)

Compare: v2.24.4...v2.24.5

Container image

docker pull ghcr.io/coder/coder:2.24.5

Install/upgrade

Refer to our docs to install or upgrade Coder, or use a release asset below.

Security Fixes

Server: Harden Azure identity certificate fetch (cherry-pick v2.24) — mitigates credential leakage (#25280).
Verify PKCS7 signature on Azure instance identity tokens (backport 2.24) — prevents token spoofing (#25309).

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track coder

Get notified when new releases ship.

About coder

Secure environments for developers and their agents

All releases →

Related context

Related tools

Related CVEs

GHSA-686C-7VGV-V3FX NVD KEV EPSS
GHSA-6X44-W3XG-HQQF NVD KEV EPSS