CVE-2025-22612

CVSS v3.1

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Coolify versions prior to 4.0.0-beta.374

Description The issue allows an authenticated user to retrieve any existing private keys on a Coolify instance in plain text due to missing authorization. If the server configuration of IP/domain, port, and user matches with the victim's server configuration, the attacker can execute arbitrary commands on the remote server.

Recommendations Coolify versions prior to 4.0.0-beta.374 should be updated to version 4.0.0-beta.374 to fix the issue.

Exploit

Fix

Missing Authorization

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862CWE-200

Related Identifiers

CVE-2025-22612

GHSA-WG8X-CGQ4-VJXJ

Affected Products

Coolify

CVE-2025-22612

Weakness Enumeration

Related Identifiers

Affected Products

References · 14