CVE-2025-64421 Overview
CVE-2025-64421 is a privilege escalation vulnerability affecting Coolify, an open-source and self-hostable tool for managing servers, applications, and databases. The vulnerability allows a low-privileged user (member) to bypass authorization controls and invite themselves as an administrator to the Coolify instance. While the application initially throws an error when a low-privileged user attempts to invite a high-privileged user, clicking the invite button a second time successfully bypasses this restriction. After successfully inviting a high-privileged account, an attacker can initiate a password reset and gain administrative access to the platform.
Critical Impact
Low-privileged users can escalate to administrative access, potentially gaining full control over the Coolify instance including all managed servers, applications, and databases.
Affected Products
- Coolify versions up to and including v4.0.0-beta.434
Discovery Timeline
- 2026-01-05 - CVE-2025-64421 published to NVD
- 2026-01-08 - Last updated in NVD database
Technical Details for CVE-2025-64421
Vulnerability Analysis
This vulnerability is classified as CWE-863 (Incorrect Authorization), indicating a fundamental flaw in how the application validates user permissions during the invitation workflow. The authorization bypass occurs due to a race condition or state management issue in the invitation logic.
The attack exploits a critical flaw in the invitation system where the initial authorization check properly rejects the request, but a subsequent identical request bypasses this validation. This suggests the error handling or state management in the invitation workflow inadvertently creates a window where the authorization check is not properly enforced.
Once a low-privileged attacker successfully invites an administrator account (which can be tied to an email address they control), they can leverage the password reset functionality to gain access to that admin account. This provides full administrative privileges over the entire Coolify instance, including control over all managed infrastructure.
Root Cause
The root cause lies in improper authorization enforcement within the user invitation workflow. The application fails to consistently validate user privileges when processing invitation requests. The fact that the first request is rejected but the second succeeds indicates that the authorization state is not properly maintained between requests, or there is a logic flaw that allows the second request to bypass the privilege check entirely.
This represents a classic Broken Access Control vulnerability where the authorization logic does not properly enforce role-based restrictions for sensitive administrative operations like inviting privileged users.
Attack Vector
The attack is network-based and requires only low-level authentication (member access) to the Coolify instance. The exploitation path follows these steps:
- The attacker authenticates as a low-privileged member user
- The attacker initiates an invitation for a high-privileged (admin) user role, using an email address they control
- The application throws an error, which the attacker ignores
- The attacker clicks the invite button a second time
- The invitation succeeds despite the lack of proper authorization
- The attacker initiates a password reset for the newly created admin account
- The attacker gains administrative access to the Coolify instance
No user interaction is required beyond the attacker's own actions. Technical details regarding this vulnerability can be found in the GitHub Security Advisory.
Detection Methods for CVE-2025-64421
Indicators of Compromise
- Multiple invitation attempts for administrator or high-privileged roles from non-admin users
- Invitation error responses followed immediately by successful invitation creation
- Unusual password reset requests for newly created administrator accounts
- Low-privileged users gaining administrator access without proper authorization workflow
Detection Strategies
- Monitor invitation API endpoints for repeated requests from the same session with identical parameters
- Alert on any successful admin user invitations originating from sessions with member-level privileges
- Implement audit logging to track privilege level changes and invitation workflows
- Review access logs for patterns showing error responses followed by successful requests to the same endpoint
Monitoring Recommendations
- Enable comprehensive audit logging for all user invitation and privilege modification operations
- Set up alerts for administrator account creation events that bypass normal approval workflows
- Monitor for password reset requests targeting recently created administrator accounts
- Implement rate limiting on invitation endpoints to slow exploitation attempts
How to Mitigate CVE-2025-64421
Immediate Actions Required
- Restrict access to Coolify instances to trusted users only until a patch is available
- Review existing user accounts for any unauthorized administrator privileges
- Implement network-level access controls to limit who can reach the Coolify management interface
- Enable multi-factor authentication for all administrator accounts
- Monitor audit logs for signs of exploitation attempts
Patch Information
As of the time of publication, it is unclear if a patch is available. Organizations should monitor the Coolify GitHub repository for security updates and apply patches immediately when released. Upgrading to a version beyond v4.0.0-beta.434 may address this issue once a fix is made available.
Workarounds
- Limit member-level access to only absolutely trusted users until a patch is applied
- Implement a reverse proxy with additional authentication layers in front of the Coolify interface
- Disable or restrict the user invitation functionality if possible through configuration
- Place Coolify instances behind a VPN to limit network exposure
- Regularly audit user privilege levels to detect unauthorized escalation
# Example: Restrict network access to Coolify using iptables
# Allow access only from trusted management network
iptables -A INPUT -p tcp --dport 8000 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 8000 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
