CVE-2025-22609 in coolifyinfo

Summary

by MITRE • 01/24/2025

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.361, the missing authorization allows any authenticated user to attach any existing private key on a coolify instance to his own server. If the server configuration of IP / domain, port (most likely 22) and user (root) matches with the victim's server configuration, then the attacker can use the `Terminal` feature and execute arbitrary commands on the victim's server. Version 4.0.0-beta.361 fixes the issue.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 09/19/2025

The vulnerability identified as CVE-2025-22609 affects Coolify, an open-source self-hostable platform designed for managing servers, applications, and databases. This security flaw represents a critical authorization bypass issue that undermines the platform's security model and exposes systems to unauthorized remote code execution. The vulnerability exists in versions prior to 4.0.0-beta.361, indicating that the development team has acknowledged and addressed this concern in their subsequent release cycle. The core issue stems from inadequate access controls that fail to properly validate user permissions when attaching private keys to server configurations, creating a significant vector for privilege escalation attacks.

The technical implementation of this vulnerability involves a missing authorization check that allows any authenticated user to manipulate private key attachments within the Coolify instance. When an attacker successfully attaches a private key to their server configuration, they can leverage the platform's terminal feature to execute arbitrary commands on victim servers. This occurs because the system does not properly verify whether the authenticated user has legitimate authorization to associate the target private key with their server. The attack vector specifically requires matching server configurations including IP/domain, port (typically port 22 for ssh connections), and user credentials (often root access). This configuration matching process enables the attacker to effectively impersonate legitimate system access and gain unauthorized control over target systems. The vulnerability aligns with CWE-862, which describes insufficient authorization flaws where systems fail to properly enforce access control mechanisms, and represents a clear violation of the principle of least privilege in cybersecurity practices.

The operational impact of this vulnerability extends beyond simple unauthorized access to encompass complete system compromise capabilities. An attacker who successfully exploits this vulnerability can execute arbitrary commands on victim servers, potentially leading to data exfiltration, system modification, privilege escalation, or even lateral movement within network infrastructure. The attack requires only authentication to the Coolify instance, making it particularly dangerous as it can be exploited by any user with valid credentials rather than requiring specialized attack vectors. This vulnerability essentially transforms any authenticated user into a potential threat actor capable of compromising other systems within the same Coolify environment, creating a significant risk for organizations that rely on the platform for server management. The severity is amplified by the fact that the attack can be executed through the platform's legitimate terminal functionality, making it difficult to detect through normal security monitoring processes.

Mitigation strategies for CVE-2025-22609 focus primarily on upgrading to version 4.0.0-beta.361 or later, which implements proper authorization controls for private key attachment operations. Organizations should immediately implement this upgrade as a priority measure to protect their Coolify instances from exploitation. Additionally, administrators should review and tighten access controls within their Coolify environments, ensuring that user permissions are properly enforced and that only authorized personnel have access to critical system resources. Network segmentation and monitoring should be enhanced to detect unusual terminal activity or unauthorized key attachment attempts. The vulnerability demonstrates the critical importance of proper authorization checking in multi-user systems and serves as a reminder that even seemingly benign features like terminal access must be carefully secured against unauthorized usage patterns. Organizations should also consider implementing additional security controls such as multi-factor authentication, regular security audits of access controls, and monitoring for anomalous behavior patterns that might indicate exploitation attempts. This vulnerability highlights the necessity of following ATT&CK framework principles for access control and privilege escalation, particularly focusing on techniques that involve unauthorized access to system resources and command execution through legitimate interfaces.

Responsible

GitHub M

Reservation

01/07/2025

Disclosure

01/24/2025

Moderation

accepted

CPE

ready

EPSS

0.00723

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!