Summary

Snyk Code Analysis identified 65 issues across 92 analyzed files in code-server. The High severity findings affect production deployments.

High Severity (7 issues)

Cross-site Scripting (XSS) — CWE-79, Score 807

• src/node/routes/errors.ts line 56
• src/node/routes/login.ts lines 68, 119

User-controlled input may be rendered without proper HTML escaping in error and login responses.

Path Traversal — CWE-23, Score 804

• src/node/routes/vscode.ts lines 149, 219

User-supplied path components may allow reading files outside the intended directory.

Regular Expression Denial of Service (ReDoS) — CWE-400, Score 752

• src/node/routes/domainProxy.ts line 46

A regex pattern may cause catastrophic backtracking with crafted input.

Medium Severity (14 issues)

Open Redirect — CWE-601, Score 557

• src/node/routes/login.ts lines 62, 99
• src/node/routes/index.ts line 94

Allocation of Resources Without Limits — CWE-770, Score 555

• src/node/routes/errors.ts line 37
• src/node/routes/vscode.ts line 213

Information Exposure via X-Powered-By — CWE-200, Score 554

• src/node/app.ts line 70

Sensitive Cookie Without Secure/HttpOnly Flags — CWE-614/CWE-1004, Score 402

• src/node/routes/login.ts line 96

Low Severity (44 issues)

Primarily in test files (hardcoded passwords, cleartext HTTP). Not production concerns.

Reproduction

Scanned with Snyk Code Analysis on code-server main branch (commit near v4.112.0).

Suggested Fixes

• XSS: HTML-encode user input before rendering in error/login templates
• Path Traversal: Resolve and validate paths against intended root directory
• ReDoS: Simplify or replace the vulnerable regex pattern
• Open Redirect: Validate redirect URLs against an allowlist
• X-Powered-By: Disable with app.disable('x-powered-by')
• Cookie flags: Add Secure and HttpOnly to session cookies

Happy to submit PRs for any of these if the team confirms the approach.