vulnerability in envbuilder project

[ankitdn]

While working on envbuilder project, I discovered a vulnerability (CVE-2025-66411) in the github.com/coder/coder/v2 package. The issue occurs because the Workspace Agent logs sensitive environment variables in plaintext without sanitization. Updating to the patched version and disabling agent logs temporarily mitigates the risk.

CVE Link
CVE Report