CVE-2025-22611
Published: 24 January 2025
Description
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.361, the missing authorization allows any authenticated user to escalate his or any other team members privileges to any role, including the owner role. He's also able to kick every other member out of the team, including admins and owners. This allows the attacker to access the `Terminal` feature and execute remote commands. Version 4.0.0-beta.361 fixes the issue.
Security Summary
CVE-2025-22611 is a missing authorization vulnerability (CWE-862) in Coolify, an open-source and self-hostable tool for managing servers, applications, and databases. The issue affects versions prior to 4.0.0-beta.361 and has a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). It stems from inadequate checks that permit unauthorized privilege modifications within teams.
Any authenticated user with low privileges can exploit this vulnerability over the network with no user interaction required. The attacker can escalate their own privileges or those of other team members to any role, including owner. They can also evict all other members from the team, including admins and owners, thereby assuming full control. This grants access to the Terminal feature, enabling execution of arbitrary remote commands on managed servers.
The official GitHub security advisory (GHSA-9w72-9qww-qj6g) at https://github.com/coollabsio/coolify/security/advisories/GHSA-9w72-9qww-qj6g documents the vulnerability. Version 4.0.0-beta.361 addresses and fixes the issue, and users should upgrade to this or later versions for mitigation.
Details
- CWE(s)