CRITICAL🇵🇱 Wersja polska

CVE-2025-22609

CVSS 10.0v3.1pub. 2025-01-24upd. 2025-09-19

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.361, the missing authorization allows any authenticated user to attach any existing private key on a coolify instance to his own server. If the server configuration of IP / domain, port (most likely 22) and user (root) matches with the victim's server configuration, then the attacker can use the `Terminal` feature and execute arbitrary commands on the victim's server. Version 4.0.0-beta.361 fixes the issue.

🤖 AI Analysis
How it works

Coolify before version 4.0.0-beta.361 does not verify permissions when assigning private SSH keys to servers (CWE-862 — missing authorization). A logged-in attacker can assign another person's private key to their own server. If the attacker's server configuration (IP address/domain, port — usually 22 — and user, e.g., root) matches the victim's server configuration, the attacker can use the Terminal function in Coolify and execute arbitrary system commands on the victim's server.

Impact

The attacker can gain full control over the victim's server by executing arbitrary commands with the privileges of the configured user (e.g., root), resulting in complete loss of confidentiality, integrity, and availability of the system.

Mitigation & patch

Coolify must be updated to version 4.0.0-beta.361 or newer, which removes the described vulnerability. The patch is available in the vendor's repository.

Who is affected

Coollabs Coolify in all versions before 4.0.0-beta.361

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Coollabs Coolify

    APP
    Coollabs
    4.0.0< 4.0.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2025-59158CRITICAL9.4PL ✓ten sam produkt

Stored XSS w Coolify — atak przez złośliwą nazwę projektu

CVE-2025-64419CRITICAL9.6PL ✓ten sam produkt

Command injection w Coolify via docker-compose.yaml — RCE jako root

CVE-2025-59156CRITICAL9.4PL ✓ten sam produkt

RCE w Coolify — command injection w konfiguracji Docker Compose

CVE-2025-59157CRITICAL9.9PL ✓ten sam produkt

Command injection w polu Git Repository w Coolify

CVE-2025-64420CRITICAL9.9PL ✓ten sam produkt

Coolify: nieuprawniony dostęp do prywatnego klucza SSH użytkownika root