httpmw package, versions <2.23.0

Q: How to fix?

Upgrade github.com/coder/coder/coderd/httpmw to version 2.23.0 or higher.

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk IDSNYK-GOLANG-GITHUBCOMCODERCODERCODERDHTTPMW-12301714
published31 Aug 2025
disclosed28 Aug 2025
creditSpike Curtis

Report a new vulnerability Found a mistake?

Introduced: 28 Aug 2025

NewCWE-324 (opens in a new tab)

How to fix?

Upgrade github.com/coder/coder/coderd/httpmw to version 2.23.0 or higher.

Overview

Affected versions of this package are vulnerable to Use of a Key Past its Expiration Date due to improper enforcement of OIDC token expiry in the authentication process when no refresh token is provided. An attacker can maintain unauthorized access to the service by continuously using a valid APIKey, even after the OIDC token has expired.

Note: This is exploitable if the OpenID Identity Provider does not return a refresh token during authentication.

References

GitHub Commit

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
Present
Privileges Required (PR)
Low
User Interaction (UI)
None

Confidentiality (VC)
Low
Integrity (VI)
Low
Availability (VA)
None

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None