Missing Authorization in Coolify Affects Server Management Security
CVE-2025-22607
4.7MEDIUM
Key Information:
- Vendor
- Coollabsio
- Status
- Coolify
- Vendor
- CVE Published:
- 24 January 2025
Summary
Coolify, a self-hostable tool designed for managing servers, applications, and databases, has a vulnerability that allows authenticated users to access sensitive configuration details without proper authorization. Prior to version 4.0.0-beta.361, users could retrieve the details of any GitHub or GitLab configuration solely by knowing the UUID of the model. This flaw potentially exposes critical information, including the 'client id', 'client secret', and 'webhook secret', posing significant risks to the security of the integrated services.
Affected Version(s)
coolify < 4.0.0-beta.361
References
CVSS V4
Score:
4.7
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None
Timeline
Vulnerability published
Vulnerability Reserved