CRITICAL🇵🇱 Wersja polska

CVE-2025-64420

CVSS 9.9v3.1pub. 2026-01-05upd. 2026-01-12

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions prior to and including v4.0.0-beta.434, low privileged users are able to see the private key of the root user on the Coolify instance. This allows them to ssh to the server and authenticate as root user, using the private key. As of time of publication, it is unclear if a patch is available.

🤖 AI Analysis
How it works

Coolify improperly secures access to stored authentication data (CWE-522 — insufficiently protected authentication data). A logged-in user with low privileges is able to read the private SSH key belonging to the root account on the server hosting Coolify. With this key, an attacker can establish an SSH connection directly to the server and authenticate as root, completely bypassing standard access control mechanisms.

Impact

An attacker gains full access to the server with root privileges, enabling system takeover, reading and modifying all data, and further lateral movement within the infrastructure.

Mitigation & patch

At the time of CVE publication, patch availability status was unclear. Monitor the official project repository (https://github.com/coollabsio/coolify) and GHSA advisory qwxj-qch7-whpc, and apply patches according to vendor references immediately upon release. Until patched, restrict access to Coolify instances to trusted users only and rotate root SSH keys.

Who is affected

Coolify (Coollabs) in versions up to v4.0.0-beta.434 inclusive

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Coollabs Coolify

    APP
    Coollabs
    4.0.0< 4.0.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2025-59158CRITICAL9.4PL ✓ten sam produkt

Stored XSS w Coolify — atak przez złośliwą nazwę projektu

CVE-2025-64419CRITICAL9.6PL ✓ten sam produkt

Command injection w Coolify via docker-compose.yaml — RCE jako root

CVE-2025-59156CRITICAL9.4PL ✓ten sam produkt

RCE w Coolify — command injection w konfiguracji Docker Compose

CVE-2025-59157CRITICAL9.9PL ✓ten sam produkt

Command injection w polu Git Repository w Coolify

CVE-2025-64424CRITICAL9.4PL ✓ten sam produkt

Command injection w Coolify — wykonanie poleceń jako root przez użytkownika