CRITICAL🇵🇱 Wersja polska

CVE-2025-22612

CVSS 10.0v3.1pub. 2025-01-24upd. 2025-09-19

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.374, the missing authorization allows an authenticated user to retrieve any existing private keys on a coolify instance in plain text. If the server configuration of IP / domain, port (most likely 22) and user (root) matches with the victim's server configuration, then the attacker can execute arbitrary commands on the remote server. Version 4.0.0-beta.374 fixes the issue.

🤖 AI Analysis
How it works

Lack of permission verification (missing authorization) allows an authenticated user to query API endpoints of a Coolify instance and read private SSH keys of other users without any access control. If the attacker's server configuration (IP address or domain, port, user account) matches the victim's server configuration, the stolen key can be used to establish an SSH connection and execute arbitrary commands on that server.

Impact

An attacker can gain full access to private SSH keys of all users on the instance, and under favorable conditions execute arbitrary commands (RCE) on remote servers managed by Coolify, which may result in complete infrastructure takeover.

Mitigation & patch

Coolify should be updated to version 4.0.0-beta.374 or newer, which contains a patch eliminating missing authorization when reading private keys.

Who is affected

Coolify in versions before 4.0.0-beta.374 (all self-hosted instances).

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Coollabs Coolify

    APP
    Coollabs
    4.0.0< 4.0.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2025-59158CRITICAL9.4PL ✓ten sam produkt

Stored XSS w Coolify — atak przez złośliwą nazwę projektu

CVE-2025-64419CRITICAL9.6PL ✓ten sam produkt

Command injection w Coolify via docker-compose.yaml — RCE jako root

CVE-2025-59156CRITICAL9.4PL ✓ten sam produkt

RCE w Coolify — command injection w konfiguracji Docker Compose

CVE-2025-59157CRITICAL9.9PL ✓ten sam produkt

Command injection w polu Git Repository w Coolify

CVE-2025-64420CRITICAL9.9PL ✓ten sam produkt

Coolify: nieuprawniony dostęp do prywatnego klucza SSH użytkownika root