CVE-2025-22608 in coolify
Summary
by MITRE • 01/24/2025
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.361, the missing authorization allows any authenticated user to revoke any team invitations on a Coolify instance by only providing a predictable and incrementing ID, resulting in a Denial-of-Service attack (DOS). Version 4.0.0-beta.361 fixes the issue.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 09/19/2025
The vulnerability identified as CVE-2025-22608 affects Coolify, an open-source self-hostable platform designed for server, application, and database management. This security flaw represents a critical authorization bypass issue that undermines the platform's access control mechanisms. The vulnerability specifically impacts versions prior to 4.0.0-beta.361, where the system fails to properly validate user permissions when processing team invitation revocation requests. The flaw stems from a predictable and incrementing identifier system that allows unauthorized access to administrative functions typically restricted to authorized users.
The technical implementation of this vulnerability exploits a fundamental weakness in the authorization framework where the application does not adequately verify whether an authenticated user possesses the necessary privileges to revoke team invitations. Attackers can leverage this by constructing requests using predictable ID sequences, effectively bypassing normal access controls that should restrict such operations to team administrators or owners. This type of vulnerability aligns with CWE-863, which describes "Incorrect Authorization" where an actor is able to perform actions for which they are not authorized. The predictable nature of the ID generation creates a pathway for attackers to systematically test and exploit the authorization gap without requiring additional credentials or privileges.
The operational impact of this vulnerability extends beyond simple privilege escalation to constitute a full denial-of-service attack vector. When authenticated users can revoke any team invitations, they essentially gain the ability to disrupt collaboration within the Coolify instance by removing legitimate team members from projects. This disruption occurs without proper authorization checks, effectively allowing any user to cause service degradation or complete operational paralysis for legitimate team members. The attack surface is particularly concerning given that Coolify is designed for self-hosted environments where organizations rely on the platform for critical infrastructure management. The vulnerability can be exploited by any authenticated user, making it particularly dangerous in multi-user environments where access control is paramount.
The remediation implemented in version 4.0.0-beta.361 addresses the core authorization flaw by introducing proper access control validation for team invitation revocation operations. This fix ensures that only users with appropriate administrative privileges can revoke invitations, preventing unauthorized access to critical collaboration functions. Organizations using older versions of Coolify should immediately implement this update to protect their infrastructure from potential exploitation. The vulnerability demonstrates the importance of proper authorization validation in web applications and aligns with ATT&CK technique T1078 which covers valid accounts as a means of gaining access to systems. Security practitioners should implement monitoring for unusual invitation revocation patterns and maintain updated versions of all open-source tools to prevent similar authorization bypass vulnerabilities from compromising operational integrity.