CVE-2025-22609

Name of the Vulnerable Software and Affected Versions Coolify versions prior to 4.0.0-beta.361

Description The issue allows any authenticated user to attach any existing private key on a Coolify instance to their own server. If the server configuration of IP/domain, port, and user matches with the victim's server configuration, then the attacker can use the "Terminal" feature and execute arbitrary commands on the victim's server. This potentially grants root access to other servers.

Recommendations Coolify versions prior to 4.0.0-beta.361: Update to version 4.0.0-beta.361 or later to fix the issue. As a temporary workaround, consider restricting access to the Terminal feature until a patch is available. Additionally, review server configurations to ensure that IP/domain, port, and user settings do not match with other servers, minimizing the risk of exploitation.