CVE-2025-22612

CVE-2025-22612 is a critical authorization bypass vulnerability (CWE-862) combined with sensitive information exposure (CWE-200) in Coolify, an open-source, self-hostable tool for managing servers, applications, and databases. In versions prior to 4.0.0-beta.374, the flaw allows authenticated users to retrieve any existing private keys stored on a Coolify instance in plain text. The vulnerability has a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating maximum severity due to its network accessibility, low complexity, and potential for complete confidentiality, integrity, and availability impacts.

An authenticated attacker with access to the Coolify instance can exploit this by directly fetching private keys without proper authorization checks. If the stolen private key corresponds to a victim's server configuration—matching the IP or domain, port (typically 22 for SSH), and user (often root)—the attacker can use it to authenticate and execute arbitrary commands on the remote server, potentially leading to full remote code execution and server compromise.

The official advisory on GitHub (GHSA-wg8x-cgq4-vjxj) confirms that updating to Coolify version 4.0.0-beta.374 resolves the issue by implementing the necessary authorization controls to prevent unauthorized access to private keys. Security practitioners should prioritize patching affected instances and review access controls for any authenticated users on Coolify deployments.