CVE-2025-64420
Published: 05 January 2026
Summary
CVE-2025-64420 is a critical-severity Insufficiently Protected Credentials (CWE-522) vulnerability in Coollabs Coolify. Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Private Keys (T1552.004); ranked at the 23.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
IA-5 mandates protection of authenticators like the root private key from unauthorized disclosure to low-privileged users.
AC-6 enforces least privilege, preventing low-privileged users from accessing root private keys needed for SSH escalation.
AC-3 requires enforcement of access control policies to block low-privileged users from viewing sensitive root credentials in the Coolify interface.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct exposure of root private key (T1552.004) enables SSH authentication as root (T1021.004).
NVD Description
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions prior to and including v4.0.0-beta.434, low privileged users are able to see the private key of the root user on the Coolify instance. This…
more
allows them to ssh to the server and authenticate as root user, using the private key. As of time of publication, it is unclear if a patch is available.
Deeper analysisAI
CVE-2025-64420 is a critical vulnerability in Coolify, an open-source and self-hostable tool for managing servers, applications, and databases. In versions prior to and including v4.0.0-beta.434, low-privileged users can access the private key of the root user on the Coolify instance. This issue, tied to CWE-522 (Insufficiently Protected Credentials), carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), reflecting its severe potential impact.
An attacker with low privileges and network access to the Coolify instance can exploit this vulnerability with low complexity and no user interaction required. By viewing the exposed root private key, they can use it to authenticate via SSH directly as the root user on the server, achieving full administrative control. This grants high-impact privileges over confidentiality, integrity, and availability across the affected system's scope.
The primary reference, a GitHub security advisory (GHSA-qwxj-qch7-whpc), states that as of the CVE's publication on 2026-01-05, it remains unclear if a patch is available. Administrators should limit low-privileged user access, monitor the Coolify repository for updates, and audit exposed credentials in affected deployments until official mitigation guidance is released.
Details
- CWE(s)