CVE-2025-22609

high-risk

Published 2025-01-24

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.361, the missing authorization allows any authenticated user to attach any existing private key on a coolify instance to his own server. If the server configuration of IP / domain, port (most likely 22) and user (root) matches with the victim's server configuration, then the attacker can use the `Terminal` feature and execute arbitrary commands on the victim's server. Version 4.0.0-beta.361 fixes the issue.

Do I need to act?

0.52% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Fix available

Upgrade to: e7306300b1a80dc89d314eef5ce3f54260a77721

CVSS 10.0/10 Critical

NETWORK / LOW complexity

Affected Products (20)

Coolify

Affected Vendors

Coollabs

References (1)

Exploit https://github.com/coollabsio/coolify/security/advisories/GHSA-3w2c-jfr2-9pg9

/ 100

high-risk

Severity 33/34 · Critical

Exploitability 2/34 · Minimal

Exposure 33/34 · Critical