CVE-2025-22609 Overview
CVE-2025-22609 is a critical missing authorization vulnerability in Coolify, an open-source and self-hostable tool for managing servers, applications, and databases. The vulnerability allows any authenticated user to attach any existing private key on a Coolify instance to their own server configuration. If the server configuration parameters (IP/domain, port, and user) match those of another user's server, an attacker can leverage the Terminal feature to execute arbitrary commands on the victim's server with full root access.
Critical Impact
Authenticated attackers can hijack private SSH keys and execute arbitrary commands on victim servers, leading to complete system compromise with root-level access.
Affected Products
- Coollabs Coolify versions prior to 4.0.0-beta.361
- Coolify 4.0.0-beta.18 through 4.0.0-beta.360
- All Coolify 4.x beta installations without the security patch
Discovery Timeline
- January 24, 2025 - CVE-2025-22609 published to NVD
- September 19, 2025 - Last updated in NVD database
Technical Details for CVE-2025-22609
Vulnerability Analysis
This vulnerability is classified under CWE-862 (Missing Authorization). The core issue stems from the application failing to properly verify whether a user has the necessary permissions before allowing them to associate private SSH keys with server configurations. In multi-tenant Coolify deployments, this authorization gap creates a severe security boundary violation.
The attack succeeds when an attacker can match their malicious server configuration to a victim's legitimate server settings. Since Coolify uses SSH key-based authentication for server management, the ability to attach arbitrary private keys to server configurations effectively grants unauthorized access to those servers. The Terminal feature in Coolify then becomes the conduit for executing commands, typically running as root since many server deployments use root-level SSH access.
The impact is catastrophic for affected deployments: complete confidentiality breach through access to all server data, full integrity compromise via arbitrary command execution, and potential availability impact through destructive operations or service disruption.
Root Cause
The root cause is the absence of authorization checks in the functionality that manages private key associations with server configurations. The application allows any authenticated user to reference and attach private keys that belong to other users or the system, without validating ownership or access permissions. This is a classic Broken Access Control (BAC) vulnerability where authentication exists but authorization is missing.
Attack Vector
The attack requires the following conditions: the attacker must have valid authentication credentials to the Coolify instance, knowledge or ability to guess the victim's server configuration (IP address or domain, SSH port typically 22, and username typically root), and access to the Terminal feature within Coolify. Once these conditions are met, the attacker configures their own server entry with parameters matching the victim's server, attaches an existing private key from the Coolify instance to this configuration, and uses the built-in Terminal feature to establish an SSH connection. Since the private key is valid for the victim's server, authentication succeeds and the attacker gains command execution capabilities.
Detection Methods for CVE-2025-22609
Indicators of Compromise
- Unexpected private key associations in server configurations that don't match the original owner's account
- Terminal session activity from user accounts that shouldn't have access to specific servers
- Audit log entries showing private key attachments by users who didn't create those keys
- SSH connections to servers originating from unexpected Coolify user sessions
Detection Strategies
- Monitor Coolify audit logs for cross-account private key associations or modifications
- Implement alerting on Terminal feature usage, particularly when accessing servers not owned by the authenticated user
- Review SSH connection logs on managed servers for authentication using keys that weren't explicitly authorized for specific user accounts
- Deploy file integrity monitoring on private key storage locations within Coolify
Monitoring Recommendations
- Enable verbose logging for all server configuration changes in Coolify
- Set up real-time alerts for private key operations performed by non-administrative users
- Correlate Coolify user sessions with SSH authentication events on managed servers
- Periodically audit the mapping between users, private keys, and server configurations for unauthorized associations
How to Mitigate CVE-2025-22609
Immediate Actions Required
- Upgrade Coolify to version 4.0.0-beta.361 or later immediately
- Audit all existing server configurations to identify unauthorized private key associations
- Review Terminal session logs for evidence of exploitation
- Rotate SSH keys on servers that may have been compromised and regenerate private keys within Coolify
Patch Information
Coollabs has released version 4.0.0-beta.361 which addresses this vulnerability by implementing proper authorization checks for private key operations. The fix ensures that users can only attach private keys that belong to them or that they have explicit permission to use. Organizations should update to this version or later through their standard Coolify update process. For more details, see the GitHub Security Advisory for CVE-2025-22609.
Workarounds
- Restrict Coolify access to only highly trusted administrators until the patch is applied
- Implement network segmentation to limit SSH access from the Coolify server to managed hosts
- Disable or restrict access to the Terminal feature if not operationally required
- Deploy additional monitoring on SSH authentication events to detect unauthorized access attempts
# Verify Coolify version after upgrade
cd /path/to/coolify
git describe --tags --abbrev=0
# Expected output: v4.0.0-beta.361 or higher
# Review server configurations for unauthorized key associations
# (Replace with actual Coolify CLI commands or database queries as applicable)
# Check audit logs for suspicious activity
tail -f /var/log/coolify/audit.log | grep -E "(private_key|server_config)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
