Missing Authorization in Coolify Affects Server Management Security
CVE-2025-22607

4.7MEDIUM

Key Information:

Vendor: Coollabsio
Status: Coolify
Vendor: CVE Published:; 24 January 2025

What is CVE-2025-22607?

Coolify, a self-hostable tool designed for managing servers, applications, and databases, has a vulnerability that allows authenticated users to access sensitive configuration details without proper authorization. Prior to version 4.0.0-beta.361, users could retrieve the details of any GitHub or GitLab configuration solely by knowing the UUID of the model. This flaw potentially exposes critical information, including the 'client id', 'client secret', and 'webhook secret', posing significant risks to the security of the integrated services.

Affected Version(s)

coolify < 4.0.0-beta.361

References

https://github.com/coollabsio/coolify/security/advisories...

x_refsource_CONFIRM

CVSS V4

Score:

4.7

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 24, 2025
Vulnerability Reserved
Jan 7, 2025

Coollabsio

What is CVE-2025-22607?

Affected Version(s)

References

CVSS V4

Timeline