Cyber Resilience

CVE-2025-22611

CriticalPublic PoC

Published: 24 January 2025

Published
24 January 2025
Modified
19 September 2025
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0047 65.2th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-22611 is a critical-severity Missing Authorization (CWE-862) vulnerability in Coollabs Coolify. Its CVSS base score is 9.9 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 34.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-2 (Account Management).

Deeper analysis

CVE-2025-22611 is a missing authorization vulnerability (CWE-862) in Coolify, an open-source and self-hostable tool for managing servers, applications, and databases. The issue affects versions prior to 4.0.0-beta.361 and has a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). It stems from inadequate checks that permit unauthorized privilege modifications within teams.

Any authenticated user with low privileges can exploit this vulnerability over the network with no user interaction required. The attacker can escalate their own privileges or those of other team members to any role, including owner. They can also evict all other members from the team, including admins and owners, thereby assuming full control. This grants access to the Terminal feature, enabling execution of arbitrary remote commands on managed servers.

The official GitHub security advisory (GHSA-9w72-9qww-qj6g) at https://github.com/coollabsio/coolify/security/advisories/GHSA-9w72-9qww-qj6g documents the vulnerability. Version 4.0.0-beta.361 addresses and fixes the issue, and users should upgrade to this or later versions for mitigation.

EU & UK References

Vulnerability details

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.361, the missing authorization allows any authenticated user to escalate his or any other team members privileges to any role, including the owner role.…

more

He's also able to kick every other member out of the team, including admins and owners. This allows the attacker to access the `Terminal` feature and execute remote commands. Version 4.0.0-beta.361 fixes the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1098 Account Manipulation Persistence
Adversaries may manipulate accounts to maintain and/or elevate access to victim systems.
T1531 Account Access Removal Impact
Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Missing authorization enables unauthorized role escalation and member eviction (T1068, T1098, T1531); owner access then allows arbitrary remote command execution via Terminal on managed servers (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-22609Same product: Coollabs Coolify
CVE-2025-22612Same product: Coollabs Coolify
CVE-2025-66209Same product: Coollabs Coolify
CVE-2025-22605Same product: Coollabs Coolify
CVE-2025-34161Same product: Coollabs Coolify
CVE-2025-64424Same product: Coollabs Coolify
CVE-2025-66210Same product: Coollabs Coolify
CVE-2025-66211Same product: Coollabs Coolify
CVE-2025-66212Same product: Coollabs Coolify
CVE-2025-34159Same product: Coollabs Coolify

Affected Assets

coollabs
coolify
4.0.0 · ≤ 4.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 requires enforcement of approved authorizations for access, directly mitigating the missing authorization checks that enable privilege escalations and team member evictions in Coolify.

prevent

AC-6 enforces least privilege, limiting the damage potential from unauthorized privilege escalations to owner roles.

prevent

AC-2 establishes account management procedures for controlling role assignments and modifications, countering unauthorized changes to user privileges and team memberships.

References