CVE-2025-22612 in coolifyinfo

Summary

by MITRE • 01/24/2025

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.374, the missing authorization allows an authenticated user to retrieve any existing private keys on a coolify instance in plain text. If the server configuration of IP / domain, port (most likely 22) and user (root) matches with the victim's server configuration, then the attacker can execute arbitrary commands on the remote server. Version 4.0.0-beta.374 fixes the issue.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 01/24/2025

The vulnerability identified as CVE-2025-22612 affects Coolify, an open-source self-hostable platform designed for managing servers, applications, and databases. This security flaw represents a critical authorization bypass issue that undermines the fundamental security model of the application. The vulnerability exists in versions prior to 4.0.0-beta.374, where the system fails to properly validate user permissions when accessing private key information, creating a significant attack surface for authenticated users who should not have such extensive privileges.

The technical implementation of this vulnerability stems from inadequate access control mechanisms within Coolify's authentication framework. Specifically, the system does not enforce proper authorization checks when retrieving private key data, allowing any authenticated user to access private keys stored within the application's configuration. This missing authorization check creates a path for privilege escalation where legitimate users can bypass normal security boundaries. The flaw manifests as a direct information disclosure vulnerability that exposes cryptographic keys in plaintext format, which is classified under CWE-284 according to the Common Weakness Enumeration taxonomy. The vulnerability's severity is amplified by the fact that private keys are typically sensitive cryptographic assets that should remain protected from unauthorized access.

The operational impact of this vulnerability extends far beyond simple information disclosure, creating a potential for complete system compromise. When an attacker successfully retrieves private keys, they can leverage these credentials to establish unauthorized connections to target servers. The vulnerability specifically targets SSH private keys that are commonly used for server access, with the default SSH port 22 being the most likely target. If the server configuration parameters such as IP address, domain name, port, and user credentials (particularly root access) match those configured in Coolify, the attacker can execute arbitrary commands on the remote server through the established SSH connection. This creates a direct path for remote code execution, privilege escalation, and potential lateral movement within network environments. The attack vector aligns with techniques described in the MITRE ATT&CK framework under the T1078 principle of Valid Accounts, where attackers leverage legitimate credentials to gain access to systems.

The remediation for this vulnerability required the implementation of proper authorization controls in version 4.0.0-beta.374. This fix ensures that private key retrieval operations are properly validated against user permissions and access controls. The solution addresses the root cause by implementing mandatory access controls that verify whether authenticated users have legitimate authorization to access specific private key materials. Organizations using Coolify should immediately upgrade to version 4.0.0-beta.374 or later to mitigate this risk. System administrators should also conduct thorough audits of private key usage and implement additional monitoring for unauthorized access attempts to key management systems. The vulnerability demonstrates the critical importance of proper access control implementation in multi-user applications where sensitive cryptographic materials are handled, as even authenticated users should not have unrestricted access to system-critical resources.

Responsible

GitHub M

Reservation

01/07/2025

Disclosure

01/24/2025

Moderation

accepted

CPE

ready

EPSS

0.00597

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!