CVE-2025-22612
Published: 24 January 2025
Summary
CVE-2025-22612 is a critical-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Coollabs Coolify. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 33.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for accessing sensitive resources like private keys, directly addressing the missing authorization checks that allowed authenticated users to retrieve any keys in plain text.
Implements least privilege to restrict authenticated users' access to only necessary private keys, mitigating broad unauthorized retrieval across the Coolify instance.
Mandates secure management of cryptographic keys including storage and access controls, preventing exposure of private SSH keys used for server authentication.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing Coolify enables exploitation to bypass authorization and retrieve private keys (T1552.004), which directly facilitates SSH authentication and command execution on remote servers (T1021.004).
NVD Description
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.374, the missing authorization allows an authenticated user to retrieve any existing private keys on a coolify instance in plain text. If the server…
more
configuration of IP / domain, port (most likely 22) and user (root) matches with the victim's server configuration, then the attacker can execute arbitrary commands on the remote server. Version 4.0.0-beta.374 fixes the issue.
Deeper analysisAI
CVE-2025-22612 is a critical authorization bypass vulnerability (CWE-862) combined with sensitive information exposure (CWE-200) in Coolify, an open-source, self-hostable tool for managing servers, applications, and databases. In versions prior to 4.0.0-beta.374, the flaw allows authenticated users to retrieve any existing private keys stored on a Coolify instance in plain text. The vulnerability has a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating maximum severity due to its network accessibility, low complexity, and potential for complete confidentiality, integrity, and availability impacts.
An authenticated attacker with access to the Coolify instance can exploit this by directly fetching private keys without proper authorization checks. If the stolen private key corresponds to a victim's server configuration—matching the IP or domain, port (typically 22 for SSH), and user (often root)—the attacker can use it to authenticate and execute arbitrary commands on the remote server, potentially leading to full remote code execution and server compromise.
The official advisory on GitHub (GHSA-wg8x-cgq4-vjxj) confirms that updating to Coolify version 4.0.0-beta.374 resolves the issue by implementing the necessary authorization controls to prevent unauthorized access to private keys. Security practitioners should prioritize patching affected instances and review access controls for any authenticated users on Coolify deployments.
Details
- CWE(s)