CVE-2025-22611 in coolify
Summary
by MITRE • 01/24/2025
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.361, the missing authorization allows any authenticated user to escalate his or any other team members privileges to any role, including the owner role. He's also able to kick every other member out of the team, including admins and owners. This allows the attacker to access the `Terminal` feature and execute remote commands. Version 4.0.0-beta.361 fixes the issue.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 01/24/2025
The vulnerability identified as CVE-2025-22611 affects Coolify, an open-source self-hostable management tool for servers, applications, and databases. This critical authorization flaw exists in versions prior to 4.0.0-beta.361 and represents a severe privilege escalation vulnerability that undermines the application's core security model. The issue stems from inadequate access control mechanisms that fail to properly validate user permissions during privilege modification operations, creating a pathway for authenticated users to assume elevated roles within the system.
The technical flaw manifests as a missing authorization check that allows any authenticated user to manipulate team member roles without proper validation. This vulnerability specifically targets the role assignment functionality within Coolify's team management system, enabling attackers to elevate their privileges to owner level or any other role within the team structure. The flaw operates at the application logic level, where the system fails to enforce proper access controls when processing role modification requests, making it a direct violation of the principle of least privilege. This authorization bypass represents a CWE-285 vulnerability, specifically related to insufficient authorization checks within software applications. The vulnerability's impact is amplified by the fact that the attacker can also remove other team members including administrators and owners, completely dismantling the intended team hierarchy and access controls.
The operational impact of this vulnerability is profound and far-reaching within the Coolify ecosystem. An authenticated attacker can not only assume administrative privileges but also completely remove existing team members, effectively taking full control of the team's resources and access permissions. This capability extends to access the Terminal feature, which serves as a gateway for executing remote commands on the underlying server infrastructure. The ability to execute arbitrary commands through the Terminal interface transforms this authorization flaw into a complete system compromise vulnerability, allowing attackers to potentially gain full control over the managed servers and applications. This represents a critical escalation from a simple privilege escalation to a full remote code execution capability, making it particularly dangerous for organizations relying on Coolify for infrastructure management.
The mitigation strategy for CVE-2025-22611 involves immediate deployment of version 4.0.0-beta.361 or later, which addresses the authorization bypass through proper access control implementation. Organizations should also implement additional monitoring for unauthorized privilege changes and team membership modifications within their Coolify installations. Security teams should conduct thorough audits of existing team structures and roles to identify any potential compromise. The fix implemented in version 4.0.0-beta.361 likely includes proper authorization checks that validate user permissions before allowing role modifications or team membership changes. From an ATT&CK framework perspective, this vulnerability maps to privilege escalation techniques and command and control operations, as the attacker can establish persistent access through the Terminal feature and execute malicious commands remotely. Organizations should also consider implementing network segmentation and access controls around Coolify instances to limit potential attack surface, particularly in environments where multiple users have access to the system.