Overview
DNS rebinding attack against Coder's Agent API exposes user chat history to attackers. A malicious website can pivot to the locally running Coder agent and read all conversation data.
Who Is Affected
Reported by mcpsec.dev. Affects users of the Coder development platform who use its Agent API for AI-assisted development.
Where It Exists
The vulnerability is in Coder's Agent API, which runs locally and is accessible via DNS rebinding due to missing Host header validation.
When It Was Found
Advisory published September 19, 2025 on mcpsec.dev.
How It Works
An attacker hosts a malicious website that performs DNS rebinding to access the locally running Coder Agent API. The API lacks Host header validation, allowing the rebinding attack. Once connected, the attacker queries the chat history endpoint to retrieve all past conversations between the user and the AI agent.
Impact
Exposure of full chat history, which may contain source code snippets, API keys shared in conversations, internal architecture discussions, security-sensitive decisions, and proprietary business logic. This data provides attackers with intelligence for further targeted attacks.
Mitigation
Implement Host header validation for the Agent API. Add authentication tokens for local API access. Restrict CORS to prevent cross-origin requests. Consider encrypting chat history at rest with per-session keys.