CVE-2025-22611 Overview
CVE-2025-22611 is a critical missing authorization vulnerability in Coolify, an open-source and self-hostable tool for managing servers, applications, and databases. This vulnerability allows any authenticated user to escalate their privileges or modify the privileges of any other team member to any role, including the owner role. Additionally, the attacker can remove all other team members, including administrators and owners, from the team entirely. This access ultimately enables the attacker to leverage the Terminal feature and execute remote commands on managed servers.
Critical Impact
Any authenticated user can escalate to owner privileges, remove legitimate administrators, and execute arbitrary remote commands on managed servers through the Terminal feature.
Affected Products
- Coollabs Coolify versions prior to 4.0.0-beta.361
- Coolify 4.0.0-beta.18 through 4.0.0-beta.360
- All Coolify beta releases in the 4.0.0 branch before the security patch
Discovery Timeline
- January 24, 2025 - CVE-2025-22611 published to NVD
- September 19, 2025 - Last updated in NVD database
Technical Details for CVE-2025-22611
Vulnerability Analysis
This vulnerability stems from a missing authorization flaw (CWE-862) in Coolify's team management functionality. The application fails to properly verify whether a user has the necessary permissions before allowing them to modify team member roles or remove team members. This broken access control allows privilege escalation from any authenticated team member to the highest privilege level (owner role).
The impact of this vulnerability is severe because Coolify is designed to manage critical infrastructure including servers, applications, and databases. Once an attacker gains owner privileges, they can access the Terminal feature, which provides direct command execution capabilities on managed servers. This creates a pathway from a low-privileged authenticated position to full remote command execution across the entire infrastructure managed by the Coolify instance.
Root Cause
The root cause is missing authorization checks in the API endpoints or functions responsible for modifying team member roles and removing team members. The application accepts and processes these requests from any authenticated user without validating whether the requesting user has administrative or owner-level permissions to perform such actions. This is a classic broken access control vulnerability where authentication is enforced, but authorization is not.
Attack Vector
The attack can be executed remotely over the network by any user who has been authenticated to a Coolify instance, even with the lowest level of team membership. The attack sequence involves:
- An attacker authenticates to Coolify with any valid team member account
- The attacker sends requests to modify team roles, escalating their own account to owner
- Optionally, the attacker removes all other team members including legitimate owners and admins
- With owner privileges, the attacker accesses the Terminal feature
- The attacker executes arbitrary commands on managed servers
The vulnerability requires no user interaction and has low attack complexity. The scope is changed because compromising the Coolify instance leads to compromise of all managed servers, extending impact beyond the vulnerable component itself.
Detection Methods for CVE-2025-22611
Indicators of Compromise
- Unexpected changes to team member roles, particularly escalations to owner or admin roles
- Team members being removed without administrator action or approval
- Unusual Terminal feature access patterns or command execution by non-administrative users
- Audit log entries showing role modifications from low-privileged accounts
Detection Strategies
- Monitor Coolify audit logs for role modification events and correlate with expected administrative actions
- Implement alerting on any team membership changes, especially role escalations to owner
- Review Terminal access logs for commands executed by users who should not have that privilege level
- Deploy web application firewalls to detect anomalous API requests to team management endpoints
Monitoring Recommendations
- Enable comprehensive logging for all team management operations in Coolify
- Set up real-time alerts for privilege escalation events within the Coolify platform
- Regularly audit team membership and roles to identify unauthorized changes
- Monitor network traffic to Coolify for unusual patterns of API requests to sensitive endpoints
How to Mitigate CVE-2025-22611
Immediate Actions Required
- Upgrade Coolify to version 4.0.0-beta.361 or later immediately
- Audit current team memberships and roles to identify any unauthorized changes
- Review Terminal access logs and command history for evidence of exploitation
- If compromise is suspected, rotate credentials for all managed servers and revoke any suspicious access
Patch Information
Coollabs has released version 4.0.0-beta.361 which addresses this vulnerability by implementing proper authorization checks for team management functions. Organizations running any version prior to 4.0.0-beta.361 should upgrade immediately. The fix is detailed in the GitHub Security Advisory GHSA-9w72-9qww-qj6g.
Workarounds
- Restrict network access to Coolify instances to trusted IP ranges only until patching is possible
- Limit the number of team members with any level of access to reduce the attack surface
- Implement additional network-level authentication such as VPN requirements before accessing Coolify
- Monitor all team management activity closely if immediate patching is not feasible
# Update Coolify to the patched version
# Navigate to your Coolify installation directory and pull the latest version
cd /path/to/coolify
git fetch --tags
git checkout v4.0.0-beta.361
# Follow your standard deployment process to apply the update
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
