coder

v2.31.12 Security

This release patches 2 CVEs for security teams tracking exposure across their dependency inventory.

Published 21d Developer Productivity

View tool

2 patched CVEs

Read the diff → Tool health → What is this tool? →

This release patches 2 known CVEs GHSA-686c-7vgv-v3fx GHSA-6x44-w3xg-hqqf

2 CVEs patched

Topics

agents dev-tools development-environment go ide jetbrains

+3 more

remote-development terraform vscode

Affected surfaces

rce_ssrf deps

ReleasePort's take

Moderate signal

editorial:auto 13d

Release v2.31.12 patches four security vulnerabilities across dependencies and the server component.

Why it matters: Patch to v2.31.12 immediately; it fixes CVE-2026-33814, CVE-2026-39883, GHSA‑77fj‑vx54‑gvh7, and CVE-2026-5160 in golang/x/net, otel SDK, markdown parser, and Azure token verification.

Summary

AI summary

Security fixes for CVE-2026-33814, CVE-2026-39883, GHSA-77fj-vx54-gvh7, and CVE-2026-5160.

Changes in this release

Type	Severity	Summary	CVE
Security
Security	Medium	Bump golang.org/x/net to v0.53.0 fixes CVE-2026-33814 Bump golang.org/x/net to v0.53.0 fixes CVE-2026-33814 Source: llm_adapter@2026-05-21 Confidence: high	—
Security	Medium	Bump otel SDK from v1.42.0 to v1.43.0 fixes CVE-2026-39883 Bump otel SDK from v1.42.0 to v1.43.0 fixes CVE-2026-39883 Source: llm_adapter@2026-05-21 Confidence: high	—
Security	Medium	fix(security): bump gomarkdown/markdown to fix out-of-bounds read GHSA-77fj-vx54-gvh7 fix(security): bump gomarkdown/markdown to fix out-of-bounds read GHSA-77fj-vx54-gvh7 Source: llm_adapter@2026-05-21 Confidence: high	—
Security	Medium	Verify PKCS7 signature on Azure instance identity tokens backport 2.31 Verify PKCS7 signature on Azure instance identity tokens backport 2.31 Source: llm_adapter@2026-05-21 Confidence: high	—
Dependency
Dependency	Medium	Bump aws-sdk-go-v2/service/s3 to v1.97.3 GHSA-xmrv-pmrh-hhx2 Bump aws-sdk-go-v2/service/s3 to v1.97.3 GHSA-xmrv-pmrh-hhx2 Source: llm_adapter@2026-05-21 Confidence: high	—
Dependency	Medium	Bump github.com/go-git/go-git/v5 from 5.18.0 to 5.19.0 release/2.31 Bump github.com/go-git/go-git/v5 from 5.18.0 to 5.19.0 release/2.31 Source: llm_adapter@2026-05-21 Confidence: low	—
Dependency	Medium	Bump Go from 1.25.9 to 1.25.10 Bump Go from 1.25.9 to 1.25.10 Source: llm_adapter@2026-05-21 Confidence: low	—
Performance	Medium	Server: Harden Azure identity certificate fetch cherry-pick v2.31 Server: Harden Azure identity certificate fetch cherry-pick v2.31 Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	Bump goldmark to v1.7.17 fixes XSS CVE-2026-5160 Bump goldmark to v1.7.17 fixes XSS CVE-2026-5160 Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	Dashboard: Remove flaky pagination test from WorkspacesPage Dashboard: Remove flaky pagination test from WorkspacesPage Source: llm_adapter@2026-05-21 Confidence: low	—

Full changelog

Changelog

Bug fixes

Bump golang.org/x/net to v0.53.0 (CVE-2026-33814) (#25213, 836ff8f1b4)
Bump otel SDK from v1.42.0 to v1.43.0 (CVE-2026-39883) (#25214, 59248df4c0)
fix(security): bump gomarkdown/markdown to fix OOB read (GHSA-77fj-vx54-gvh7) (#25218, 17b857ea29)
Bump goldmark to v1.7.17 to fix XSS (CVE-2026-5160) (#25216, cd6eb46777)
Dashboard: Remove flaky pagination test from WorkspacesPage (#24165, e7030b122b)
Server: Harden Azure identity certificate fetch (cherry-pick v2.31) (#25278, eb461163c7)
Verify PKCS7 signature on Azure instance identity tokens (backport 2.31) (#25304, 6ff657f090)
fix(scripts/ironbank): rebuild bundled Terraform from source with Go 1.25.9 (#25260, dfe986b2b0)

Chores

Bump aws-sdk-go-v2/service/s3 to v1.97.3 (GHSA-xmrv-pmrh-hhx2) (#25212, f34f6733b6)
Bump github.com/go-git/go-git/v5 from 5.18.0 to 5.19.0 (release/2.31) (#25236, 441a9aba0c)
Bump Go from 1.25.9 to 1.25.10 (#25220, bddd73d5d2)

Compare: v2.31.11...v2.31.12