CVE-2025-22611
Published: 24 January 2025
Summary
CVE-2025-22611 is a critical-severity Missing Authorization (CWE-862) vulnerability in Coollabs Coolify. Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 35.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-2 (Account Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 requires enforcement of approved authorizations for access, directly mitigating the missing authorization checks that enable privilege escalations and team member evictions in Coolify.
AC-6 enforces least privilege, limiting the damage potential from unauthorized privilege escalations to owner roles.
AC-2 establishes account management procedures for controlling role assignments and modifications, countering unauthorized changes to user privileges and team memberships.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authorization enables unauthorized role escalation and member eviction (T1068, T1098, T1531); owner access then allows arbitrary remote command execution via Terminal on managed servers (T1059.004).
NVD Description
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.361, the missing authorization allows any authenticated user to escalate his or any other team members privileges to any role, including the owner role.…
more
He's also able to kick every other member out of the team, including admins and owners. This allows the attacker to access the `Terminal` feature and execute remote commands. Version 4.0.0-beta.361 fixes the issue.
Deeper analysisAI
CVE-2025-22611 is a missing authorization vulnerability (CWE-862) in Coolify, an open-source and self-hostable tool for managing servers, applications, and databases. The issue affects versions prior to 4.0.0-beta.361 and has a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). It stems from inadequate checks that permit unauthorized privilege modifications within teams.
Any authenticated user with low privileges can exploit this vulnerability over the network with no user interaction required. The attacker can escalate their own privileges or those of other team members to any role, including owner. They can also evict all other members from the team, including admins and owners, thereby assuming full control. This grants access to the Terminal feature, enabling execution of arbitrary remote commands on managed servers.
The official GitHub security advisory (GHSA-9w72-9qww-qj6g) at https://github.com/coollabsio/coolify/security/advisories/GHSA-9w72-9qww-qj6g documents the vulnerability. Version 4.0.0-beta.361 addresses and fixes the issue, and users should upgrade to this or later versions for mitigation.
Details
- CWE(s)