Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-59955

CVE-2025-59955: Coolify Information Disclosure Flaw

CVE-2025-59955 is an information disclosure vulnerability in Coolify that exposes sensitive email change codes to authenticated team members. This article covers the technical details, affected versions, and mitigation strategies.

Updated:

CVE-2025-59955 Overview

CVE-2025-59955 is an information disclosure vulnerability affecting Coolify, an open-source and self-hostable tool for managing servers, applications, and databases. The vulnerability exists in the /api/v1/teams/{team_id}/members and /api/v1/teams/current/members API endpoints, which allow authenticated team members to access highly sensitive email_change_code values from other users on the same team. This verification code is intended for single-use email change operations and should remain confidential. Exposure of this code could enable a malicious actor to perform unauthorized email address changes on behalf of other users.

Critical Impact

Authenticated attackers can hijack victim accounts by leveraging exposed email change verification codes to perform unauthorized email address modifications, potentially leading to full account takeover.

Affected Products

  • Coolify versions prior to and including v4.0.0-beta.420.8

Discovery Timeline

  • 2026-01-05 - CVE CVE-2025-59955 published to NVD
  • 2026-01-08 - Last updated in NVD database

Technical Details for CVE-2025-59955

Vulnerability Analysis

This vulnerability is classified under CWE-201 (Insertion of Sensitive Information Into Sent Data). The core issue stems from the API endpoints returning more data than necessary in their responses. When authenticated users query team member information through the affected endpoints, the API response includes the email_change_code field, which is a sensitive single-use token meant only for the specific user initiating an email change request.

The vulnerability requires network access and low-privilege authentication (team membership) to exploit. Once an attacker obtains the email change code from another team member's response data, they can use this code to complete an email verification flow that was initiated by the victim, effectively redirecting the victim's account to an attacker-controlled email address.

Root Cause

The root cause is improper data filtering in the API response serialization. The team member endpoints fail to exclude sensitive fields like email_change_code from the response payload when returning user data. This represents a classic case of over-exposure of sensitive information through API responses, where the application does not properly implement the principle of least privilege in data access.

Attack Vector

The attack vector is network-based and requires authenticated access as a team member. An attacker who is a legitimate member of a team can:

  1. Make an authenticated API request to /api/v1/teams/{team_id}/members or /api/v1/teams/current/members
  2. Parse the response to extract email_change_code values from other team members
  3. If a victim has initiated an email change, use their exposed verification code to complete the email change process
  4. Redirect the victim's account to an attacker-controlled email address

The attack requires the victim to have an active email change request in progress, as the email_change_code is generated only when such a request is initiated. For detailed technical information, see the GitHub Security Advisory.

Detection Methods for CVE-2025-59955

Indicators of Compromise

  • Unusual API requests to /api/v1/teams/{team_id}/members or /api/v1/teams/current/members endpoints
  • Multiple requests to team member endpoints from a single user in rapid succession
  • Email change completions that occur from different IP addresses than the initiating request
  • Account email changes that users report as unauthorized

Detection Strategies

  • Monitor API access logs for repeated queries to the affected team member endpoints
  • Implement anomaly detection for API response sizes that may indicate bulk data harvesting
  • Alert on email change completions where the verification IP differs significantly from the request IP
  • Track and correlate email change initiation events with completion events across different sessions

Monitoring Recommendations

  • Enable detailed API access logging for all team-related endpoints
  • Configure alerts for bulk enumeration patterns against member listing endpoints
  • Implement rate limiting on the affected API endpoints to slow potential data harvesting
  • Monitor for account takeover indicators such as password resets following email changes

How to Mitigate CVE-2025-59955

Immediate Actions Required

  • Audit recent API access logs for signs of exploitation targeting the affected endpoints
  • Review recent email change activities for any unauthorized modifications
  • Consider temporarily disabling the email change functionality until a patch is available
  • Notify team members of the vulnerability and advise them to monitor their accounts

Patch Information

As of the time of publication, no known patched versions exist for this vulnerability. Organizations should monitor the Coolify GitHub repository for security updates and apply patches as soon as they become available.

Workarounds

  • Implement API gateway filtering to strip the email_change_code field from responses on the affected endpoints
  • Deploy a reverse proxy rule to sanitize API responses before they reach clients
  • Restrict access to team member listing endpoints to only administrators if operationally feasible
  • Consider implementing additional verification steps for email changes, such as requiring password re-entry
bash
# Example nginx configuration to filter sensitive fields (workaround)
# Add to your nginx configuration for the Coolify reverse proxy
location ~ ^/api/v1/teams/.*/members {
    proxy_pass http://coolify_backend;
    # Enable response modification
    sub_filter_types application/json;
    sub_filter '"email_change_code":' '"_redacted":';
    sub_filter_once off;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.