CVE-2025-64425 Overview
CVE-2025-64425 is a Host Header Poisoning vulnerability affecting Coolify, an open-source and self-hostable tool for managing servers, applications, and databases. This vulnerability allows an attacker to manipulate the password reset functionality by modifying the Host header in the HTTP request. When a victim clicks on the malicious password reset link sent to their email, their reset token is transmitted to the attacker's controlled server, enabling complete account takeover.
Critical Impact
Attackers can hijack user accounts by intercepting password reset tokens through Host header manipulation, potentially gaining unauthorized access to server management capabilities.
Affected Products
- Coolify versions up to and including v4.0.0-beta.434
Discovery Timeline
- 2026-01-05 - CVE-2025-64425 published to NVD
- 2026-01-08 - Last updated in NVD database
Technical Details for CVE-2025-64425
Vulnerability Analysis
This vulnerability is classified under CWE-644 (Improper Neutralization of HTTP Headers for Scripting Syntax), indicating that the application fails to properly validate or sanitize the Host header in HTTP requests. The password reset mechanism in Coolify uses the Host header value to construct the password reset URL that is sent to users via email. Because the application trusts the Host header without proper validation, an attacker can inject a malicious domain into this header.
The attack requires user interaction—the victim must click on the malicious link in the password reset email. However, since the email appears to come from the legitimate Coolify instance and the password reset was initiated for the victim's actual account, the likelihood of user interaction is significant.
Root Cause
The root cause of this vulnerability lies in the improper handling of the HTTP Host header within Coolify's password reset functionality. Instead of using a configured, trusted base URL for generating password reset links, the application dynamically reads the Host header from the incoming request. This design flaw allows attackers to inject arbitrary domain values that are then incorporated into the password reset email sent to victims.
The application fails to implement proper Host header validation or use a whitelist of allowed domains, making it susceptible to this class of attack.
Attack Vector
The attack vector is network-based and requires the following sequence of events:
- The attacker identifies a target user's email address registered with the Coolify instance
- The attacker initiates a password reset request for the victim's account
- In the password reset request, the attacker modifies the Host header to point to their malicious server
- The victim receives a legitimate-looking password reset email containing a link to the attacker's domain
- When the victim clicks the link, their password reset token is sent to the attacker's server
- The attacker uses the captured token to reset the victim's password and gain access to their account
The vulnerability mechanism relies on the application trusting user-controlled input (the Host header) to construct security-critical URLs. For detailed technical analysis, refer to the GitHub Security Advisory.
Detection Methods for CVE-2025-64425
Indicators of Compromise
- Unusual password reset requests originating from suspicious IP addresses
- Password reset emails containing links to unexpected or unknown domains
- HTTP request logs showing mismatched Host headers compared to the actual server hostname
- User reports of password changes they did not initiate
Detection Strategies
- Monitor HTTP request logs for password reset endpoints with anomalous Host header values
- Implement alerting for password reset requests where the Host header does not match the configured server domain
- Review authentication logs for successful password resets followed by logins from new IP addresses or geolocations
- Analyze email server logs for password reset emails containing unexpected URL domains
Monitoring Recommendations
- Enable detailed logging on the password reset functionality including full HTTP headers
- Set up security information and event management (SIEM) rules to detect Host header manipulation attempts
- Monitor for bulk password reset requests which may indicate reconnaissance or attack preparation
- Implement user notification mechanisms for password changes to alert users of unauthorized account modifications
How to Mitigate CVE-2025-64425
Immediate Actions Required
- Review and audit all password reset logs for signs of exploitation
- Notify users who may have received password reset emails to verify the legitimacy of any links before clicking
- Consider temporarily disabling the password reset functionality until a patch is applied
- Implement network-level controls to validate Host headers at the reverse proxy or load balancer level
Patch Information
As of the time of publication, it is unclear if a patch is available for this vulnerability. Organizations should monitor the GitHub Security Advisory for updates on remediation. Additional technical documentation may be available via the associated documentation.
Workarounds
- Configure a reverse proxy (such as nginx or Apache) to enforce a specific Host header value and reject requests with unexpected values
- Use application-level configuration to hardcode the base URL for password reset links instead of relying on the Host header
- Implement an allowlist of permitted Host header values in web server or application configuration
- Enable HTTPS with proper certificate validation to make Host header manipulation more difficult
# Example nginx configuration to enforce Host header
# Add to server block configuration
server {
listen 443 ssl;
server_name coolify.yourdomain.com;
# Reject requests with unexpected Host headers
if ($host !~ ^(coolify\.yourdomain\.com)$) {
return 444;
}
# ... rest of configuration
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
