CVE-2025-22612 Overview
CVE-2025-22612 is a critical authorization bypass vulnerability in Coolify, an open-source and self-hostable tool for managing servers, applications, and databases. The vulnerability allows any authenticated user to retrieve existing private SSH keys stored on a Coolify instance in plain text. When the compromised server configuration (IP/domain, port, and user) matches a victim's server, attackers can leverage these stolen credentials to execute arbitrary commands on remote servers, potentially leading to complete infrastructure compromise.
Critical Impact
Authenticated attackers can steal plaintext private SSH keys and execute arbitrary commands on remote servers when server configurations match, enabling full infrastructure takeover.
Affected Products
- Coollabs Coolify versions prior to 4.0.0-beta.374
- Coolify 4.0.0-beta.18 through 4.0.0-beta.373
- All Coolify installations using shared SSH key management
Discovery Timeline
- January 24, 2025 - CVE-2025-22612 published to NVD
- September 19, 2025 - Last updated in NVD database
Technical Details for CVE-2025-22612
Vulnerability Analysis
This vulnerability stems from a missing authorization check within Coolify's private key retrieval mechanism. The application fails to enforce proper access controls when authenticated users request SSH private keys, allowing any authenticated user—regardless of their assigned permissions or role—to access keys belonging to other users or system-level credentials. The vulnerability is particularly severe because SSH private keys are returned in plaintext, completely bypassing any encryption or access restriction that should protect such sensitive credentials.
The impact extends beyond simple information disclosure. Since Coolify is designed to manage remote servers, the stolen SSH keys can be directly used for lateral movement. If an attacker determines that a stolen key corresponds to a server with matching IP/domain, standard SSH port (22), and root user configuration, they can establish unauthorized SSH sessions and execute arbitrary commands with root privileges.
Root Cause
The root cause is a missing authorization check in the API endpoint or function responsible for retrieving private keys. The application authenticates users but does not verify whether the authenticated user has authorization to access the specific private key being requested. This represents a classic Broken Access Control vulnerability (CWE-200: Exposure of Sensitive Information to an Unauthorized Actor) where authentication is correctly implemented but authorization is absent or improperly enforced.
Attack Vector
The attack requires network access to a vulnerable Coolify instance and valid authentication credentials. An attacker with a low-privileged account on the Coolify platform can exploit this vulnerability through the following attack flow:
- Authenticate to the Coolify instance using any valid credentials
- Make API requests to enumerate and retrieve all stored private keys
- Receive private SSH keys in plaintext response
- Identify target servers by correlating key metadata with known infrastructure
- Use stolen keys to establish SSH connections to target servers
- Execute arbitrary commands with the privileges associated with the key (often root)
The vulnerability requires no user interaction and can be exploited remotely over the network. The scope extends beyond the vulnerable component itself, as compromised SSH keys can be used to access external systems that trust those keys.
Detection Methods for CVE-2025-22612
Indicators of Compromise
- Unusual API requests to private key retrieval endpoints from non-administrative users
- Multiple SSH key access attempts across different key IDs from a single user session
- Unexpected SSH authentication events on managed servers from unfamiliar source IPs
- Audit log entries showing bulk access to SSH key resources by low-privileged accounts
Detection Strategies
- Implement API request logging for all private key access operations and alert on requests from users who should not have access to those keys
- Monitor SSH authentication logs on managed servers for connections using known Coolify-managed keys from unexpected IP addresses
- Deploy anomaly detection for user behavior patterns, flagging accounts that suddenly access resources outside their normal scope
- Review Coolify access logs for enumeration patterns such as sequential key ID requests
Monitoring Recommendations
- Enable comprehensive audit logging within Coolify and forward logs to a SIEM for correlation
- Set up alerts for any SSH key access operations performed by non-owner users
- Monitor network traffic for unusual outbound SSH connections from Coolify servers
- Implement file integrity monitoring on SSH key storage locations within the Coolify deployment
How to Mitigate CVE-2025-22612
Immediate Actions Required
- Upgrade Coolify to version 4.0.0-beta.374 or later immediately
- Audit all SSH keys stored in Coolify and rotate any keys that may have been accessed by unauthorized users
- Review access logs to identify any suspicious key retrieval activity prior to patching
- Temporarily restrict network access to Coolify instances until patching is complete
Patch Information
Coolify version 4.0.0-beta.374 addresses this vulnerability by implementing proper authorization checks on the private key retrieval functionality. The patch ensures that only users with appropriate ownership or administrative permissions can access specific private keys. Organizations should update to this version or later as soon as possible.
For detailed patch information and the security advisory, see the Coolify GitHub Security Advisory.
Workarounds
- Implement network-level access controls to restrict Coolify access to trusted IP addresses only until patching is complete
- Disable or remove unnecessary user accounts from the Coolify instance to limit the pool of potential attackers
- Deploy a web application firewall (WAF) with rules to detect and block bulk key retrieval requests
- Consider temporarily disabling external network access to Coolify if immediate patching is not feasible
# Example: Restrict network access to Coolify using firewall rules
# Allow only trusted IP ranges to access the Coolify web interface
iptables -A INPUT -p tcp --dport 3000 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 3000 -j DROP
# Alternative: Use UFW on Ubuntu/Debian systems
ufw allow from 10.0.0.0/8 to any port 3000
ufw deny 3000
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
