CVE-2025-59956
AgentAPI exposed user chat history via a DNS rebinding attack
In short
AgentAPI on unencrypted HTTP localhost is vulnerable to DNS rebinding attacks, allowing attackers to steal user chat history including secrets and sensitive files. This affects versions 0.3.3 and below.
Technical detail
A DNS rebinding attack targets AgentAPI instances running on plain HTTP (localhost), exploiting lack of hostname validation to redirect requests from an attacker-controlled domain to the local /messages endpoint. Pre-conditions include the victim visiting an attacker's website while AgentAPI runs locally; impact includes unauthorized access to message history containing credentials, file contents, and proprietary code.
Summary generated and translated by AI from the official description.
AgentAPI is an HTTP API for Claude Code, Goose, Aider, Gemini, Amp, and Codex. Versions 0.3.3 and below are susceptible to a client-side DNS rebinding attack when hosted over plain HTTP on localhost. An attacker can gain access to the /messages endpoint served by the Agent API. This allows for the unauthorized exfiltration of sensitive user data, specifically local message history, which can include secret keys, file system contents, and intellectual property the user was working on locally. This issue is fixed in version 0.4.0.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Affected products
coder · agentapiWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://github.blog/security/application-security/localhost-dangers-cors-and-dns-rebindinghttps://github.com/coder/agentapi/commit/5c425c62447b8a9eac19e9fc5a2eae7f0803f149https://github.com/coder/agentapi/pull/49https://github.com/coder/agentapi/releases/tag/v0.4.0https://github.com/coder/agentapi/security/advisories/GHSA-w64r-2g3w-w8w4https://mcpsec.dev/advisories/2025-09-19-coder-chat-exfiltrationhttps://mcpsec.dev/advisories/2025-09-19-coder-chat-exfiltration/