Account takeover vulnerability in Coolify by Coollabs
CVE-2025-64425

8.5HIGH

Key Information:

Vendor: Coollabsio
Status: Coolify
Vendor: CVE Published:; 5 January 2026

What is CVE-2025-64425?

Coolify is an open-source tool for managing server applications and databases that suffers from a significant vulnerability. In versions up to and including v4.0.0-beta.434, attackers can exploit this flaw to trigger a password reset request on behalf of a target user. By manipulating the host header in the request, attackers can redirect the password reset email to a malicious server. If the victim interacts with the provided reset link, their reset token is divulged to the attacker, allowing for unauthorized account access. Current details regarding the availability of a patch to address this issue remain unconfirmed.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

coolify <= 4.0.0-beta.434

References

https://github.com/coollabsio/coolify/security/advisories...

x_refsource_CONFIRM

https://drive.google.com/file/d/1I5sJHcpetJbKlwVS2usAD7qm...

x_refsource_MISC

CVSS V4

Score:

8.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Timeline

Vulnerability published
Jan 5, 2026
Vulnerability Reserved
Nov 3, 2025

JSON

Coollabsio