CVE-2025-22609

Published Jan 24, 2025

Last updated a month ago

CVSS critical 10.0

Overview

Description
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.361, the missing authorization allows any authenticated user to attach any existing private key on a coolify instance to his own server. If the server configuration of IP / domain, port (most likely 22) and user (root) matches with the victim's server configuration, then the attacker can use the `Terminal` feature and execute arbitrary commands on the victim's server. Version 4.0.0-beta.361 fixes the issue.
Source
security-advisories@github.com
NVD status
Received

Risk scores

CVSS 3.1

Type
Secondary
Base score
10
Impact score
6
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

security-advisories@github.com
CWE-862

Social media

Hype score
Not currently trending

  1. CVE-2025-22609, -611, -612: Multiple vulns in Coolify, 10.0 rating ๐Ÿ”ฅ๐Ÿ”ฅ๐Ÿ”ฅ Three vulns in Coolify allow for RCE, privilege escalation, and authentication bypass. Search at https://t.co/hv7QKSqxTR: ๐Ÿ‘‰ Link: https://t.co/WS3dEpv2Gk #cybersecurity #vulnerability_map #coolify https

    @Netlas_io

    29 Jan 2025

    961 Impressions

    6 Retweets

    18 Likes

    4 Bookmarks

    0 Replies

    0 Quotes

  2. CVSS 10 Alert: Coolify Hit by Three Critical Security Flaws โ€“ CVE-2025-22612, CVE-2025-22611, and CVE-2025-22609 https://t.co/meSverj76y

    @the_yellow_fall

    29 Jan 2025

    116 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  3. [CVE-2025-22609: CRITICAL] ๐Ÿ”’ Stay safe online! Upgrade to Coolify version 4.0.0-beta.361 now! This update fixes a security issue that allowed unauthorized access to servers through the tool. #cybersecurity#cybersecurity,#vulnerability https://t.co/cE5lb5AAa1 https://t.co/3N034Jz

    @CveFindCom

    24 Jan 2025

    11 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. Critical vulnerability (CVE-2025-22609) in Coolify < 4.0.0-beta.363 allows authenticated users to attach private keys, potentially granting root access to other servers via the Terminal feature if configurations match. Update immediately!

    @BursaMatus

    24 Jan 2025

    7 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. CVE-2025-22609 Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.361, the missing authorization allows โ€ฆ https://t.co/TLadqM94EG

    @CVEnew

    24 Jan 2025

    252 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

References