Command Execution Vulnerability in Coolify by Coollabs
CVE-2025-22605

8.5HIGH

Key Information:

Vendor: Coollabsio
Status: Coolify
Vendor: CVE Published:; 24 January 2025

What is CVE-2025-22605?

Coolify, an open-source self-hostable management tool, is susceptible to a command execution flaw that permits authenticated users to execute arbitrary code within the local Coolify container. This vulnerability, present in versions prior to 4.0.0-beta.253, enables attackers to access sensitive data, including private keys and tokens, compromising data integrity across affected instances. Particularly vulnerable are centrally hosted Coolify setups with multiple user registrations, where any malicious user may exploit this issue to leak or manipulate the data and functionality of the platform.

Affected Version(s)

coolify >= 4.0.0-beta.18, < 4.0.0-beta.253

References

https://github.com/coollabsio/coolify/security/advisories...

x_refsource_CONFIRM

https://github.com/coollabsio/coolify/pull/1524

x_refsource_MISC

https://github.com/coollabsio/coolify/pull/1625

x_refsource_MISC

CVSS V4

Score:

8.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 24, 2025
Vulnerability Reserved
Jan 7, 2025

Coollabsio

What is CVE-2025-22605?

Affected Version(s)

References

CVSS V4

Timeline