Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint

## Summary Unauthenticated semi-blind Server-Side Request Forgery (SSRF) via the Azure instance identity endpoint (`POST /api/v2/workspaceagents/azure-instance-identity`). An external attacker can force the Coder server to issue HTTP GET requests to arbitrary internal or external hosts by submitting a crafted PKCS#7 signature. The server does not return the target's response body, but error messages in the API response reveal whether the target is reachable and what type of failure occurred. ## Details The `POST /api/v2/workspaceagents/azure-instance-identity` endpoint accepts a PKCS#7 signature without authentication. During certificate chain verification, [`azureidentity.Validate()`](https://github.com/coder/coder/blob/aa0e288b88/coderd/azureidentity/azureidentity.go#L83-L88) iterates over the signer certificate's `IssuingCertificateURL` extension and fetches each URL using `http.DefaultClient` with no host restriction, no private-IP blocking, and no response-size limit. An attacker crafts a self-signed certificate whose Common Name matches `*.metadata.azure.com` (passing the `allowedSigners` regex) and whose `IssuingCertificateURL` points to an attacker-chosen target. The server fetches that URL and feeds the response body into `x509.ParseCertificate`. The parsed result is discarded, but the wrapped error string is returned verbatim in the JSON response via `Detail: err.Error()`. Connection-level errors ("connection refused", "i/o timeout", DNS failures) and certificate-parse errors give the attacker enough signal to infer host reachability and port state without seeing the actual response content. **Root causes:** 1. No allowlist on `IssuingCertificateURL` hosts. Any URL was accepted. 2. `http.DefaultClient` was used. It follows redirects and connects to private, link-local, and loopback addresses. 3. Unbounded `io.ReadAll` on the response body (memory exhaustion vector). 4. Raw `err.Error()` was returned in the JSON response, leaking internal HTTP client errors to the caller. ## Impact This is a semi-blind SSRF: the server makes the outbound request but the HTTP response body is consumed by `x509.ParseCertificate` and never returned to the attacker. - **Internal network reconnaissance.** The attacker can map internal hosts and ports by observing error differentiation in the API response: "connection refused" (port closed), "i/o timeout" (host unreachable or firewalled), DNS failure (host does not exist), or certificate-parse error (port open and responding). This enables systematic scanning of the internal network from the Coder server's vantage point. - **Requests to sensitive endpoints.** The server can be directed to hit cloud metadata services (e.g. `http://169.254.169.254/`), internal admin interfaces, or other services. The attacker cannot read the response content, but the request itself may have side effects depending on the target. - **Error-based information disclosure.** Wrapped Go HTTP client errors in the `Detail` field expose internal hostnames, IP addresses, port numbers, and network topology details. - **Memory exhaustion.** The unbounded `io.ReadAll` on the response body allows an attacker to point `IssuingCertificateURL` at a large resource, forcing the server to buffer it entirely in memory. ## Patches Fixed in [#25274](https://github.com/coder/coder/pull/25274) (commit [`57b11d405`](https://github.com/coder/coder/commit/57b11d405f17492aa789d4b9ff33366f961a37f8)): The fix was backported to all supported release lines: | Release line | Patched version | |---|---| | 2.33 | [v2.33.3](https://github.com/coder/coder/releases/tag/v2.33.3) | | 2.32 | [v2.32.2](https://github.com/coder/coder/releases/tag/v2.32.2) | | 2.31 | [v2.31.12](https://github.com/coder/coder/releases/tag/v2.31.12) | | 2.30 | [v2.30.8](https://github.com/coder/coder/releases/tag/v2.30.8) | | 2.29 | [v2.29.13](https://github.com/coder/coder/releases/tag/v2.29.13) | | 2.24 (ESR) | [v2.24.5](https://github.com/coder/coder/releases/tag/v2.24.5) | ## Workarounds If the Azure identity-auth mechanism is not being used then restrict access to the corresponding endpoint (`/api/v2/workspaceagents/azure-instance-identity`) using ingress firewall and/or proxy ACLs. ### Recognition We'd like to thank [Ben Tran](https://github.com/bencalif) of [calif.io](http://calif.io/) and Anthropic's Security Team (`ANT-2026-22447`) for independently disclosing this issue!