Authorization Flaw in Coolify Affects OAuth Configuration Management
CVE-2025-22610

5.7MEDIUM

Key Information:

Vendor: Coollabsio
Status: Coolify
Vendor: CVE Published:; 24 January 2025

What is CVE-2025-22610?

Coolify, an open-source platform for managing servers and applications, has a vulnerability that allows any authenticated user to access the global OAuth configuration settings. This flaw exposes sensitive credentials including the 'client id' and 'client secret' for all custom OAuth providers, potentially enabling unauthorized access and modification of the global OAuth settings. The issue has been addressed in version 4.0.0-beta.361.

Affected Version(s)

coolify < 4.0.0-beta.361

References

https://github.com/coollabsio/coolify/security/advisories...

x_refsource_CONFIRM

CVSS V4

Score:

5.7

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 24, 2025
Vulnerability Reserved
Jan 7, 2025

Coollabsio

What is CVE-2025-22610?

Affected Version(s)

References

CVSS V4

Timeline