CVE-2025-64425
Published: 05 January 2026
Summary
CVE-2025-64425 is a high-severity Improper Neutralization of HTTP Headers for Scripting Syntax (CWE-644) vulnerability in Coollabs Coolify. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents the vulnerability by requiring validation of HTTP Host header inputs used to generate password reset links, blocking malicious host manipulation.
Requires timely identification, reporting, and patching of the specific flaw allowing Host header poisoning in password reset functionality.
Ensures secure configuration settings, such as fixed base URLs for password reset links, to avoid reliance on untrusted Host headers.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct exploitation of a public-facing web application (Coolify) via Host header injection in password reset flow to achieve account takeover.
NVD Description
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions up to and including v4.0.0-beta.434, an attacker can initiate a password reset for a victim, and modify the host header of the request to…
more
a malicious value. The victim will receive a password reset email, with a link to the malicious host. If the victim clicks this link, their reset token is sent to the attacker's server, allowing the attacker to use it to change the victim's password and takeover their account. As of time of publication, it is unclear if a patch is available.
Deeper analysisAI
CVE-2025-64425 is a vulnerability in Coolify, an open-source and self-hostable tool for managing servers, applications, and databases. It affects versions up to and including v4.0.0-beta.434. The issue stems from an attacker being able to initiate a password reset for a victim user and modify the Host header of the request to a malicious value. This results in the victim receiving a password reset email with a link pointing to the attacker's server instead of the legitimate one.
An unauthenticated attacker with network access can exploit this vulnerability by targeting any user account, requiring low complexity and user interaction from the victim. If the victim clicks the malicious link, their reset token is sent to the attacker's server, allowing the attacker to use it to change the victim's password and achieve full account takeover. The CVSS v3.1 base score is 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N), indicating high confidentiality and integrity impacts with no availability impact.
The primary references include the GitHub security advisory at GHSA-f737-2p93-g2cw and a detailed report at a Google Drive link. As of the CVE publication on 2026-01-05T21:16:12.857, it remains unclear if a patch is available.
Details
- CWE(s)