CVE-2025-24025 in coolify
Summary
by MITRE • 01/24/2025
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.380, the tags page allows users to search for tags. If the search does not return any results, the query gets reflected on the error modal, which leads to cross-site scripting. Version 4.0.0-beta.380 fixes the issue.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 01/24/2025
The vulnerability identified as CVE-2025-24025 affects Coolify, an open-source self-hostable management tool for servers, applications, and databases. This security flaw exists in versions prior to 4.0.0-beta.380 and represents a classic cross-site scripting vulnerability that exploits improper input validation within the application's tag search functionality. The vulnerability specifically manifests when users perform searches that yield no results, creating a pathway for malicious input to be reflected back to the user interface without adequate sanitization.
The technical implementation of this vulnerability stems from the application's failure to properly sanitize user input before rendering it within the error modal interface. When a search query returns no matching tags, the system reflects the original user input directly into the error message displayed to the user. This reflection occurs without appropriate encoding or sanitization measures, allowing malicious actors to inject arbitrary javascript code that executes within the victim's browser context. The vulnerability falls under the CWE-79 category of Cross-Site Scripting, specifically representing a reflected XSS attack vector that leverages the application's error handling mechanisms.
The operational impact of this vulnerability extends beyond simple data theft or session hijacking, as it can enable attackers to perform a wide range of malicious activities within the context of the authenticated user's session. An attacker could craft malicious search queries containing javascript payloads that, when executed, could steal session cookies, redirect users to phishing sites, or even perform unauthorized actions within the Coolify application interface. The reflected nature of this vulnerability means that successful exploitation requires social engineering to convince victims to click on malicious links containing the crafted payloads, making it particularly dangerous in environments where users might interact with untrusted content.
The mitigation strategy for this vulnerability involves implementing proper input sanitization and output encoding mechanisms within the application's error handling code. The fix implemented in version 4.0.0-beta.380 demonstrates the standard approach of escaping or encoding user-provided data before displaying it in the user interface, preventing malicious scripts from executing. Organizations should prioritize updating to the patched version of Coolify and implement additional defensive measures such as content security policies to provide additional layers of protection. The vulnerability also highlights the importance of input validation across all user-facing interfaces, particularly in error handling and search functionality, aligning with ATT&CK technique T1211 which addresses the exploitation of input validation weaknesses.
Security practitioners should note that this vulnerability represents a common oversight in web application development where error messages become attack vectors due to insufficient sanitization of user input. The fix demonstrates the principle of defense in depth, where multiple layers of protection including proper input validation, output encoding, and secure coding practices work together to prevent such vulnerabilities from being exploited in real-world scenarios. Organizations using Coolify should conduct thorough security assessments of their deployments to ensure no other similar vulnerabilities exist within their custom configurations or extended functionality.