Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-22608

CVE-2025-22608: Coollabs Coolify DOS Vulnerability

CVE-2025-22608 is a denial-of-service flaw in Coollabs Coolify that allows authenticated users to revoke team invitations. This post covers the technical details, affected versions, impact, and mitigation steps.

Published:

CVE-2025-22608 Overview

CVE-2025-22608 affects Coolify, an open-source and self-hostable platform for managing servers, applications, and databases. The vulnerability stems from missing authorization checks on the team invitation revocation endpoint. Any authenticated user can revoke arbitrary team invitations across the entire Coolify instance by supplying predictable, incrementing invitation IDs. This produces a Denial-of-Service (DoS) condition for legitimate onboarding workflows. The issue is classified under [CWE-639] (Authorization Bypass Through User-Controlled Key), commonly known as an Insecure Direct Object Reference (IDOR). Version 4.0.0-beta.361 resolves the flaw.

Critical Impact

Any authenticated Coolify user can enumerate incrementing invitation identifiers and revoke pending team invitations across other teams, disrupting onboarding and administrative workflows on shared or multi-tenant instances.

Affected Products

  • Coollabs Coolify versions prior to 4.0.0-beta.361
  • Coolify 4.0.0-beta.18 through 4.0.0-beta.360 (self-hosted deployments)
  • All Coolify instances exposing the team invitation revocation endpoint to authenticated users

Discovery Timeline

  • 2025-01-24 - CVE-2025-22608 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-22608

Vulnerability Analysis

Coolify's team invitation revocation endpoint accepts a numeric invitation identifier and processes the revocation without verifying that the requesting user belongs to the team owning that invitation. Because invitation IDs are assigned sequentially by the underlying database, an attacker who holds any valid account on the instance can iterate through the ID space and cancel pending invitations belonging to other teams.

The issue is a broken access control flaw, not a memory safety or injection defect. Exploitation requires only a valid authenticated session, which is trivial to obtain on public or community Coolify deployments that permit self-registration. The impact is limited to integrity and availability of invitation records — no confidential invitation contents are disclosed and no code execution results.

Root Cause

The root cause is a missing authorization check ([CWE-639]) in the controller handling invitation revocation. The application authenticates the requester but does not enforce an ownership or team-membership predicate before mutating the invitation record. Combined with predictable, incrementing primary keys used as external identifiers, this creates a classic IDOR pattern where the object reference itself becomes the sole gate on the action.

Attack Vector

An authenticated user issues repeated requests to the invitation revocation endpoint, incrementing the invitation ID with each call. Each successful request removes a pending invitation that belongs to an arbitrary team on the same instance. Automation makes it trivial to sweep the full ID range in seconds, revoking every outstanding invitation and preventing new members from joining until administrators reissue them.

See the Coolify GitHub Security Advisory GHSA-qmxm-wvm9-wvxx for the maintainer's technical write-up.

Detection Methods for CVE-2025-22608

Indicators of Compromise

  • Unexpected disappearance of pending team invitations reported by team administrators
  • Bursts of HTTP requests from a single authenticated session targeting the invitation revocation route with sequential ID parameters
  • Application audit log entries showing invitation revocations attributed to users who are not members of the affected team
  • Repeated 200/204 responses to invitation revocation requests within a short time window from one source IP or session

Detection Strategies

  • Review Coolify application logs for invitation revocation actions and correlate the acting user's team membership against the invitation's owning team
  • Alert on any single authenticated session issuing more than a small threshold of invitation revocation requests per minute
  • Baseline normal invitation revocation volume per tenant and flag statistical outliers

Monitoring Recommendations

  • Forward Coolify web server access logs and application audit events to a centralized log store for retention and correlation
  • Track the coolify container image tag in use and alert when it lags behind the fixed release 4.0.0-beta.361
  • Monitor authentication logs for newly created accounts followed shortly by administrative actions such as invitation revocation

How to Mitigate CVE-2025-22608

Immediate Actions Required

  • Upgrade all Coolify instances to version 4.0.0-beta.361 or later without delay
  • Audit outstanding team invitations and reissue any that were revoked without a legitimate administrator action
  • Restrict self-registration on internet-exposed Coolify instances until the upgrade is complete
  • Rotate any invitation tokens that may have been affected and notify impacted invitees

Patch Information

The vulnerability is fixed in Coolify 4.0.0-beta.361. The maintainers added the missing authorization check so that only members of the team owning an invitation can revoke it. Full remediation details are published in the Coolify GitHub Security Advisory GHSA-qmxm-wvm9-wvxx.

Workarounds

  • Place the Coolify web interface behind an authenticating reverse proxy or VPN so only trusted operators can reach the API surface
  • Disable public user registration on the Coolify instance to limit the pool of accounts that could abuse the endpoint
  • Apply web application firewall rate limiting on the invitation revocation route to slow automated enumeration until the patch is deployed
bash
# Upgrade a self-hosted Coolify deployment to the fixed release
curl -fsSL https://cdn.coollabs.io/coolify/install.sh | bash -s -- --version 4.0.0-beta.361

# Verify the running version
docker inspect coolify --format '{{.Config.Image}}'

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.