GHSA-75vm-6w67-gwvp
HIGHCoder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking
Blast Radius
github.com/coder/coder/v2🐹github.com/coder/coder/v2🐹github.com/coder/coder/v2🐹github.com/coder/coder/v2Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects Go packages — download data is not available via public APIs for these ecosystems.
Description
Summary
Coder's OIDC callback checked email_verified with a direct Go bool type assertion. When an IdP returned the claim as a non-boolean (for example the string "false") or omitted it, the assertion failed open and the email was treated as verified. Combined with an unconditional email-based account fallback, this enabled account takeover.
Impact
An attacker who registered a victim's email at a compatible IdP without verifying it could log in via OIDC and be matched to the victim's existing Coder account, receiving a session for that account. No prior authentication to Coder was required and the result was full account takeover.
Patches
The fix coerces email_verified across bool, string and numeric types (fail-closed) and blocks the email fallback when the matched user already has a different linked IdP subject.
The fix was backported to all supported release lines:
Workarounds
Ensure the IdP returns email_verified as a native JSON boolean. The email-fallback linking issue has no configuration workaround; upgrading is required.
Resources
- Fix: #25712, #25713
Credits
Coder would like to thank Anthropic's Security Team (ANT-2026-22444) for independently disclosing this issue!
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🐹Go | github.com/coder/coder/v2 | ≥ 2.34.0&&< 2.34.2 | 2.34.2 |
| 🐹Go | github.com/coder/coder/v2 | ≥ 2.33.0&&< 2.33.8 | 2.33.8 |
| 🐹Go | github.com/coder/coder/v2 | ≥ 2.30.0&&< 2.32.7 | 2.32.7 |
| 🐹Go | github.com/coder/coder/v2 | all versions | 2.29.17 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for github.com/coder/coder/v2. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update github.com/coder/coder/v2 to 2.34.2 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-75vm-6w67-gwvp is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-75vm-6w67-gwvp is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-75vm-6w67-gwvp. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-75vm-6w67-gwvp in your dependencies?
O3 detects GHSA-75vm-6w67-gwvp across Go dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.