Missing Authorization in Coolify Allows Remote Command Execution

CVE-2025-22609

What is CVE-2025-22609?

CVE-2025-22609 is a significant vulnerability found in Coolify, an open-source tool designed for managing servers, applications, and databases. This flaw, identified prior to version 4.0.0-beta.361, results from a missing authorization check that allows an authenticated user to link any existing private key to their server instance. If the specifics of the server configuration (such as IP/domain, port, and user credentials) align with those of a targeted server, an attacker can exploit the vulnerability using the Terminal feature, potentially leading to unauthorized command execution and significant operational disruptions within an organization.

Technical Details

The vulnerability arises from Coolify's inadequate authorization mechanisms, specifically allowing any authenticated user access to attach private keys without proper verification. This security oversight makes it possible for users to misappropriate SSH keys, enabling them to connect to and execute arbitrary commands on any compatible server. The issue manifests particularly in instances where the external server's configuration matches that of the vulnerable setup, highlighting a critical oversight in security protocols.

Potential Impact of CVE-2025-22609

1. Remote Command Execution: The primary concern is the ability for an attacker to execute arbitrary commands on a target server. This could lead to unauthorized access to sensitive data, system manipulation, or complete system takeover.

2. Data Breaches: Exploitation of this vulnerability could result in significant data breaches, compromising user data, intellectual property, or confidential organizational information.

3. Operational Disruption: Successful exploitation could lead to disruptions in services and operations, impacting an organization’s productivity and potentially harming its reputation.

References