CVE-2025-59955 Overview
CVE-2025-59955 is an information disclosure vulnerability affecting Coolify, an open-source and self-hostable tool for managing servers, applications, and databases. The vulnerability exists in the /api/v1/teams/{team_id}/members and /api/v1/teams/current/members API endpoints, which allow authenticated team members to access highly sensitive email_change_code values from other users on the same team. This verification code is intended for single-use email change operations and should remain confidential. Exposure of this code could enable a malicious actor to perform unauthorized email address changes on behalf of other users.
Critical Impact
Authenticated attackers can hijack victim accounts by leveraging exposed email change verification codes to perform unauthorized email address modifications, potentially leading to full account takeover.
Affected Products
- Coolify versions prior to and including v4.0.0-beta.420.8
Discovery Timeline
- 2026-01-05 - CVE CVE-2025-59955 published to NVD
- 2026-01-08 - Last updated in NVD database
Technical Details for CVE-2025-59955
Vulnerability Analysis
This vulnerability is classified under CWE-201 (Insertion of Sensitive Information Into Sent Data). The core issue stems from the API endpoints returning more data than necessary in their responses. When authenticated users query team member information through the affected endpoints, the API response includes the email_change_code field, which is a sensitive single-use token meant only for the specific user initiating an email change request.
The vulnerability requires network access and low-privilege authentication (team membership) to exploit. Once an attacker obtains the email change code from another team member's response data, they can use this code to complete an email verification flow that was initiated by the victim, effectively redirecting the victim's account to an attacker-controlled email address.
Root Cause
The root cause is improper data filtering in the API response serialization. The team member endpoints fail to exclude sensitive fields like email_change_code from the response payload when returning user data. This represents a classic case of over-exposure of sensitive information through API responses, where the application does not properly implement the principle of least privilege in data access.
Attack Vector
The attack vector is network-based and requires authenticated access as a team member. An attacker who is a legitimate member of a team can:
- Make an authenticated API request to /api/v1/teams/{team_id}/members or /api/v1/teams/current/members
- Parse the response to extract email_change_code values from other team members
- If a victim has initiated an email change, use their exposed verification code to complete the email change process
- Redirect the victim's account to an attacker-controlled email address
The attack requires the victim to have an active email change request in progress, as the email_change_code is generated only when such a request is initiated. For detailed technical information, see the GitHub Security Advisory.
Detection Methods for CVE-2025-59955
Indicators of Compromise
- Unusual API requests to /api/v1/teams/{team_id}/members or /api/v1/teams/current/members endpoints
- Multiple requests to team member endpoints from a single user in rapid succession
- Email change completions that occur from different IP addresses than the initiating request
- Account email changes that users report as unauthorized
Detection Strategies
- Monitor API access logs for repeated queries to the affected team member endpoints
- Implement anomaly detection for API response sizes that may indicate bulk data harvesting
- Alert on email change completions where the verification IP differs significantly from the request IP
- Track and correlate email change initiation events with completion events across different sessions
Monitoring Recommendations
- Enable detailed API access logging for all team-related endpoints
- Configure alerts for bulk enumeration patterns against member listing endpoints
- Implement rate limiting on the affected API endpoints to slow potential data harvesting
- Monitor for account takeover indicators such as password resets following email changes
How to Mitigate CVE-2025-59955
Immediate Actions Required
- Audit recent API access logs for signs of exploitation targeting the affected endpoints
- Review recent email change activities for any unauthorized modifications
- Consider temporarily disabling the email change functionality until a patch is available
- Notify team members of the vulnerability and advise them to monitor their accounts
Patch Information
As of the time of publication, no known patched versions exist for this vulnerability. Organizations should monitor the Coolify GitHub repository for security updates and apply patches as soon as they become available.
Workarounds
- Implement API gateway filtering to strip the email_change_code field from responses on the affected endpoints
- Deploy a reverse proxy rule to sanitize API responses before they reach clients
- Restrict access to team member listing endpoints to only administrators if operationally feasible
- Consider implementing additional verification steps for email changes, such as requiring password re-entry
# Example nginx configuration to filter sensitive fields (workaround)
# Add to your nginx configuration for the Coolify reverse proxy
location ~ ^/api/v1/teams/.*/members {
proxy_pass http://coolify_backend;
# Enable response modification
sub_filter_types application/json;
sub_filter '"email_change_code":' '"_redacted":';
sub_filter_once off;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
