Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-22612

CVE-2025-22612: Coolify Auth Bypass Vulnerability

CVE-2025-22612 is an authorization bypass flaw in Coollabs Coolify that lets authenticated users retrieve private keys and execute arbitrary commands on remote servers. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2025-22612 Overview

CVE-2025-22612 is a critical authorization bypass vulnerability in Coolify, an open-source and self-hostable tool for managing servers, applications, and databases. The vulnerability allows any authenticated user to retrieve existing private SSH keys stored on a Coolify instance in plain text. When the compromised server configuration (IP/domain, port, and user) matches a victim's server, attackers can leverage these stolen credentials to execute arbitrary commands on remote servers, potentially leading to complete infrastructure compromise.

Critical Impact

Authenticated attackers can steal plaintext private SSH keys and execute arbitrary commands on remote servers when server configurations match, enabling full infrastructure takeover.

Affected Products

  • Coollabs Coolify versions prior to 4.0.0-beta.374
  • Coolify 4.0.0-beta.18 through 4.0.0-beta.373
  • All Coolify installations using shared SSH key management

Discovery Timeline

  • January 24, 2025 - CVE-2025-22612 published to NVD
  • September 19, 2025 - Last updated in NVD database

Technical Details for CVE-2025-22612

Vulnerability Analysis

This vulnerability stems from a missing authorization check within Coolify's private key retrieval mechanism. The application fails to enforce proper access controls when authenticated users request SSH private keys, allowing any authenticated user—regardless of their assigned permissions or role—to access keys belonging to other users or system-level credentials. The vulnerability is particularly severe because SSH private keys are returned in plaintext, completely bypassing any encryption or access restriction that should protect such sensitive credentials.

The impact extends beyond simple information disclosure. Since Coolify is designed to manage remote servers, the stolen SSH keys can be directly used for lateral movement. If an attacker determines that a stolen key corresponds to a server with matching IP/domain, standard SSH port (22), and root user configuration, they can establish unauthorized SSH sessions and execute arbitrary commands with root privileges.

Root Cause

The root cause is a missing authorization check in the API endpoint or function responsible for retrieving private keys. The application authenticates users but does not verify whether the authenticated user has authorization to access the specific private key being requested. This represents a classic Broken Access Control vulnerability (CWE-200: Exposure of Sensitive Information to an Unauthorized Actor) where authentication is correctly implemented but authorization is absent or improperly enforced.

Attack Vector

The attack requires network access to a vulnerable Coolify instance and valid authentication credentials. An attacker with a low-privileged account on the Coolify platform can exploit this vulnerability through the following attack flow:

  1. Authenticate to the Coolify instance using any valid credentials
  2. Make API requests to enumerate and retrieve all stored private keys
  3. Receive private SSH keys in plaintext response
  4. Identify target servers by correlating key metadata with known infrastructure
  5. Use stolen keys to establish SSH connections to target servers
  6. Execute arbitrary commands with the privileges associated with the key (often root)

The vulnerability requires no user interaction and can be exploited remotely over the network. The scope extends beyond the vulnerable component itself, as compromised SSH keys can be used to access external systems that trust those keys.

Detection Methods for CVE-2025-22612

Indicators of Compromise

  • Unusual API requests to private key retrieval endpoints from non-administrative users
  • Multiple SSH key access attempts across different key IDs from a single user session
  • Unexpected SSH authentication events on managed servers from unfamiliar source IPs
  • Audit log entries showing bulk access to SSH key resources by low-privileged accounts

Detection Strategies

  • Implement API request logging for all private key access operations and alert on requests from users who should not have access to those keys
  • Monitor SSH authentication logs on managed servers for connections using known Coolify-managed keys from unexpected IP addresses
  • Deploy anomaly detection for user behavior patterns, flagging accounts that suddenly access resources outside their normal scope
  • Review Coolify access logs for enumeration patterns such as sequential key ID requests

Monitoring Recommendations

  • Enable comprehensive audit logging within Coolify and forward logs to a SIEM for correlation
  • Set up alerts for any SSH key access operations performed by non-owner users
  • Monitor network traffic for unusual outbound SSH connections from Coolify servers
  • Implement file integrity monitoring on SSH key storage locations within the Coolify deployment

How to Mitigate CVE-2025-22612

Immediate Actions Required

  • Upgrade Coolify to version 4.0.0-beta.374 or later immediately
  • Audit all SSH keys stored in Coolify and rotate any keys that may have been accessed by unauthorized users
  • Review access logs to identify any suspicious key retrieval activity prior to patching
  • Temporarily restrict network access to Coolify instances until patching is complete

Patch Information

Coolify version 4.0.0-beta.374 addresses this vulnerability by implementing proper authorization checks on the private key retrieval functionality. The patch ensures that only users with appropriate ownership or administrative permissions can access specific private keys. Organizations should update to this version or later as soon as possible.

For detailed patch information and the security advisory, see the Coolify GitHub Security Advisory.

Workarounds

  • Implement network-level access controls to restrict Coolify access to trusted IP addresses only until patching is complete
  • Disable or remove unnecessary user accounts from the Coolify instance to limit the pool of potential attackers
  • Deploy a web application firewall (WAF) with rules to detect and block bulk key retrieval requests
  • Consider temporarily disabling external network access to Coolify if immediate patching is not feasible
bash
# Example: Restrict network access to Coolify using firewall rules
# Allow only trusted IP ranges to access the Coolify web interface
iptables -A INPUT -p tcp --dport 3000 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 3000 -j DROP

# Alternative: Use UFW on Ubuntu/Debian systems
ufw allow from 10.0.0.0/8 to any port 3000
ufw deny 3000

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.