CVE-2025-22609

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.361, the missing authorization allows any authenticated user to attach any existing private key on a coolify instance to his own server. If the server configuration of IP / domain, port (most likely 22) and user (root) matches with the victim's server configuration, then the attacker can use the `Terminal` feature and execute arbitrary commands on the victim's server. Version 4.0.0-beta.361 fixes the issue.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
10 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
GitHub_MCNA
10 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 56%
VendorProductVersion
coollabscoolify
𝑥
< 4.0.0
coollabscoolify
4.0.0:beta100
coollabscoolify
4.0.0:beta101
coollabscoolify
4.0.0:beta102
coollabscoolify
4.0.0:beta103
coollabscoolify
4.0.0:beta104
coollabscoolify
4.0.0:beta105
coollabscoolify
4.0.0:beta106
coollabscoolify
4.0.0:beta107
coollabscoolify
4.0.0:beta108
coollabscoolify
4.0.0:beta109
coollabscoolify
4.0.0:beta110
coollabscoolify
4.0.0:beta111
coollabscoolify
4.0.0:beta112
coollabscoolify
4.0.0:beta113
coollabscoolify
4.0.0:beta114
coollabscoolify
4.0.0:beta115
coollabscoolify
4.0.0:beta116
coollabscoolify
4.0.0:beta117
coollabscoolify
4.0.0:beta118
coollabscoolify
4.0.0:beta119
coollabscoolify
4.0.0:beta120
coollabscoolify
4.0.0:beta121
coollabscoolify
4.0.0:beta122
coollabscoolify
4.0.0:beta123
coollabscoolify
4.0.0:beta124
coollabscoolify
4.0.0:beta125
coollabscoolify
4.0.0:beta126
coollabscoolify
4.0.0:beta127
coollabscoolify
4.0.0:beta128
coollabscoolify
4.0.0:beta129
coollabscoolify
4.0.0:beta130
coollabscoolify
4.0.0:beta131
coollabscoolify
4.0.0:beta132
coollabscoolify
4.0.0:beta133
coollabscoolify
4.0.0:beta134
coollabscoolify
4.0.0:beta135
coollabscoolify
4.0.0:beta136
coollabscoolify
4.0.0:beta137
coollabscoolify
4.0.0:beta138
coollabscoolify
4.0.0:beta139
coollabscoolify
4.0.0:beta140
coollabscoolify
4.0.0:beta141
coollabscoolify
4.0.0:beta142
coollabscoolify
4.0.0:beta143
coollabscoolify
4.0.0:beta144
coollabscoolify
4.0.0:beta145
coollabscoolify
4.0.0:beta146
coollabscoolify
4.0.0:beta147
coollabscoolify
4.0.0:beta148
coollabscoolify
4.0.0:beta149
coollabscoolify
4.0.0:beta150
coollabscoolify
4.0.0:beta151
coollabscoolify
4.0.0:beta152
coollabscoolify
4.0.0:beta153
coollabscoolify
4.0.0:beta154
coollabscoolify
4.0.0:beta155
coollabscoolify
4.0.0:beta156
coollabscoolify
4.0.0:beta157
coollabscoolify
4.0.0:beta158
coollabscoolify
4.0.0:beta159
coollabscoolify
4.0.0:beta160
coollabscoolify
4.0.0:beta161
coollabscoolify
4.0.0:beta162
coollabscoolify
4.0.0:beta163
coollabscoolify
4.0.0:beta164
coollabscoolify
4.0.0:beta165
coollabscoolify
4.0.0:beta166
coollabscoolify
4.0.0:beta167
coollabscoolify
4.0.0:beta168
coollabscoolify
4.0.0:beta169
coollabscoolify
4.0.0:beta170
coollabscoolify
4.0.0:beta171
coollabscoolify
4.0.0:beta172
coollabscoolify
4.0.0:beta173
coollabscoolify
4.0.0:beta174
coollabscoolify
4.0.0:beta175
coollabscoolify
4.0.0:beta176
coollabscoolify
4.0.0:beta177
coollabscoolify
4.0.0:beta178
coollabscoolify
4.0.0:beta179
coollabscoolify
4.0.0:beta18
coollabscoolify
4.0.0:beta180
coollabscoolify
4.0.0:beta181
coollabscoolify
4.0.0:beta182
coollabscoolify
4.0.0:beta183
coollabscoolify
4.0.0:beta184
coollabscoolify
4.0.0:beta185
coollabscoolify
4.0.0:beta186
coollabscoolify
4.0.0:beta187
coollabscoolify
4.0.0:beta188
coollabscoolify
4.0.0:beta189
coollabscoolify
4.0.0:beta19
coollabscoolify
4.0.0:beta190
coollabscoolify
4.0.0:beta191
coollabscoolify
4.0.0:beta192
coollabscoolify
4.0.0:beta193
coollabscoolify
4.0.0:beta194
coollabscoolify
4.0.0:beta195
coollabscoolify
4.0.0:beta196
coollabscoolify
4.0.0:beta197
coollabscoolify
4.0.0:beta198
coollabscoolify
4.0.0:beta199
coollabscoolify
4.0.0:beta20
coollabscoolify
4.0.0:beta200
coollabscoolify
4.0.0:beta201
coollabscoolify
4.0.0:beta202
coollabscoolify
4.0.0:beta203
coollabscoolify
4.0.0:beta204
coollabscoolify
4.0.0:beta205
coollabscoolify
4.0.0:beta206
coollabscoolify
4.0.0:beta207
coollabscoolify
4.0.0:beta208
coollabscoolify
4.0.0:beta209
coollabscoolify
4.0.0:beta21
coollabscoolify
4.0.0:beta211
coollabscoolify
4.0.0:beta212
coollabscoolify
4.0.0:beta213
coollabscoolify
4.0.0:beta214
coollabscoolify
4.0.0:beta215
coollabscoolify
4.0.0:beta216
coollabscoolify
4.0.0:beta217
coollabscoolify
4.0.0:beta218
coollabscoolify
4.0.0:beta219
coollabscoolify
4.0.0:beta22
coollabscoolify
4.0.0:beta220
coollabscoolify
4.0.0:beta221
coollabscoolify
4.0.0:beta222
coollabscoolify
4.0.0:beta223
coollabscoolify
4.0.0:beta224
coollabscoolify
4.0.0:beta225
coollabscoolify
4.0.0:beta226
coollabscoolify
4.0.0:beta227
coollabscoolify
4.0.0:beta228
coollabscoolify
4.0.0:beta229
coollabscoolify
4.0.0:beta23
coollabscoolify
4.0.0:beta230
coollabscoolify
4.0.0:beta231
coollabscoolify
4.0.0:beta232
coollabscoolify
4.0.0:beta233
coollabscoolify
4.0.0:beta234
coollabscoolify
4.0.0:beta235
coollabscoolify
4.0.0:beta236
coollabscoolify
4.0.0:beta237
coollabscoolify
4.0.0:beta238
coollabscoolify
4.0.0:beta239
coollabscoolify
4.0.0:beta24
coollabscoolify
4.0.0:beta240
coollabscoolify
4.0.0:beta241
coollabscoolify
4.0.0:beta242
coollabscoolify
4.0.0:beta243
coollabscoolify
4.0.0:beta244
coollabscoolify
4.0.0:beta245
coollabscoolify
4.0.0:beta246
coollabscoolify
4.0.0:beta247
coollabscoolify
4.0.0:beta248
coollabscoolify
4.0.0:beta249
coollabscoolify
4.0.0:beta25
coollabscoolify
4.0.0:beta250
coollabscoolify
4.0.0:beta251
coollabscoolify
4.0.0:beta252
coollabscoolify
4.0.0:beta253
coollabscoolify
4.0.0:beta254
coollabscoolify
4.0.0:beta255
coollabscoolify
4.0.0:beta256
coollabscoolify
4.0.0:beta257
coollabscoolify
4.0.0:beta258
coollabscoolify
4.0.0:beta259
coollabscoolify
4.0.0:beta26
coollabscoolify
4.0.0:beta260
coollabscoolify
4.0.0:beta261
coollabscoolify
4.0.0:beta262
coollabscoolify
4.0.0:beta263
coollabscoolify
4.0.0:beta264
coollabscoolify
4.0.0:beta265
coollabscoolify
4.0.0:beta266
coollabscoolify
4.0.0:beta267
coollabscoolify
4.0.0:beta268
coollabscoolify
4.0.0:beta269
coollabscoolify
4.0.0:beta27
coollabscoolify
4.0.0:beta270
coollabscoolify
4.0.0:beta271
coollabscoolify
4.0.0:beta272
coollabscoolify
4.0.0:beta273
coollabscoolify
4.0.0:beta274
coollabscoolify
4.0.0:beta275
coollabscoolify
4.0.0:beta276
coollabscoolify
4.0.0:beta277
coollabscoolify
4.0.0:beta278
coollabscoolify
4.0.0:beta279
coollabscoolify
4.0.0:beta28
coollabscoolify
4.0.0:beta280
coollabscoolify
4.0.0:beta281
coollabscoolify
4.0.0:beta282
coollabscoolify
4.0.0:beta283
coollabscoolify
4.0.0:beta284
coollabscoolify
4.0.0:beta285
coollabscoolify
4.0.0:beta286
coollabscoolify
4.0.0:beta287
coollabscoolify
4.0.0:beta288
coollabscoolify
4.0.0:beta289
coollabscoolify
4.0.0:beta29
coollabscoolify
4.0.0:beta290
coollabscoolify
4.0.0:beta291
coollabscoolify
4.0.0:beta292
coollabscoolify
4.0.0:beta293
coollabscoolify
4.0.0:beta294
coollabscoolify
4.0.0:beta295
coollabscoolify
4.0.0:beta296
coollabscoolify
4.0.0:beta297
coollabscoolify
4.0.0:beta298
coollabscoolify
4.0.0:beta299
coollabscoolify
4.0.0:beta30
coollabscoolify
4.0.0:beta300
coollabscoolify
4.0.0:beta301
coollabscoolify
4.0.0:beta302
coollabscoolify
4.0.0:beta303
coollabscoolify
4.0.0:beta304
coollabscoolify
4.0.0:beta305
coollabscoolify
4.0.0:beta306
coollabscoolify
4.0.0:beta307
coollabscoolify
4.0.0:beta308
coollabscoolify
4.0.0:beta309
coollabscoolify
4.0.0:beta31
coollabscoolify
4.0.0:beta310
coollabscoolify
4.0.0:beta311
coollabscoolify
4.0.0:beta312
coollabscoolify
4.0.0:beta313
coollabscoolify
4.0.0:beta314
coollabscoolify
4.0.0:beta315
coollabscoolify
4.0.0:beta316
coollabscoolify
4.0.0:beta317
coollabscoolify
4.0.0:beta318
coollabscoolify
4.0.0:beta319
coollabscoolify
4.0.0:beta32
coollabscoolify
4.0.0:beta320
coollabscoolify
4.0.0:beta321
coollabscoolify
4.0.0:beta322
coollabscoolify
4.0.0:beta323
coollabscoolify
4.0.0:beta324
coollabscoolify
4.0.0:beta325
coollabscoolify
4.0.0:beta326
coollabscoolify
4.0.0:beta327
coollabscoolify
4.0.0:beta328
coollabscoolify
4.0.0:beta329
coollabscoolify
4.0.0:beta33
coollabscoolify
4.0.0:beta330
coollabscoolify
4.0.0:beta331
coollabscoolify
4.0.0:beta332
coollabscoolify
4.0.0:beta333
coollabscoolify
4.0.0:beta334
coollabscoolify
4.0.0:beta335
coollabscoolify
4.0.0:beta336
coollabscoolify
4.0.0:beta337
coollabscoolify
4.0.0:beta338
coollabscoolify
4.0.0:beta339
coollabscoolify
4.0.0:beta34
coollabscoolify
4.0.0:beta340
coollabscoolify
4.0.0:beta341
coollabscoolify
4.0.0:beta342
coollabscoolify
4.0.0:beta343
coollabscoolify
4.0.0:beta344
coollabscoolify
4.0.0:beta345
coollabscoolify
4.0.0:beta346
coollabscoolify
4.0.0:beta347
coollabscoolify
4.0.0:beta348
coollabscoolify
4.0.0:beta349
coollabscoolify
4.0.0:beta35
coollabscoolify
4.0.0:beta350
coollabscoolify
4.0.0:beta351
coollabscoolify
4.0.0:beta352
coollabscoolify
4.0.0:beta353
coollabscoolify
4.0.0:beta354
coollabscoolify
4.0.0:beta355
coollabscoolify
4.0.0:beta356
coollabscoolify
4.0.0:beta357
coollabscoolify
4.0.0:beta358
coollabscoolify
4.0.0:beta359
coollabscoolify
4.0.0:beta36
coollabscoolify
4.0.0:beta360
coollabscoolify
4.0.0:beta37
coollabscoolify
4.0.0:beta38
coollabscoolify
4.0.0:beta39
coollabscoolify
4.0.0:beta40
coollabscoolify
4.0.0:beta41
coollabscoolify
4.0.0:beta42
coollabscoolify
4.0.0:beta43
coollabscoolify
4.0.0:beta44
coollabscoolify
4.0.0:beta45
coollabscoolify
4.0.0:beta46
coollabscoolify
4.0.0:beta47
coollabscoolify
4.0.0:beta48
coollabscoolify
4.0.0:beta49
coollabscoolify
4.0.0:beta50
coollabscoolify
4.0.0:beta51
coollabscoolify
4.0.0:beta52
coollabscoolify
4.0.0:beta53
coollabscoolify
4.0.0:beta54
coollabscoolify
4.0.0:beta55
coollabscoolify
4.0.0:beta56
coollabscoolify
4.0.0:beta57
coollabscoolify
4.0.0:beta58
coollabscoolify
4.0.0:beta59
coollabscoolify
4.0.0:beta60
coollabscoolify
4.0.0:beta61
coollabscoolify
4.0.0:beta62
coollabscoolify
4.0.0:beta63
coollabscoolify
4.0.0:beta64
coollabscoolify
4.0.0:beta65
coollabscoolify
4.0.0:beta66
coollabscoolify
4.0.0:beta67
coollabscoolify
4.0.0:beta68
coollabscoolify
4.0.0:beta69
coollabscoolify
4.0.0:beta70
coollabscoolify
4.0.0:beta71
coollabscoolify
4.0.0:beta72
coollabscoolify
4.0.0:beta73
coollabscoolify
4.0.0:beta74
coollabscoolify
4.0.0:beta75
coollabscoolify
4.0.0:beta76
coollabscoolify
4.0.0:beta77
coollabscoolify
4.0.0:beta78
coollabscoolify
4.0.0:beta79
coollabscoolify
4.0.0:beta80
coollabscoolify
4.0.0:beta81
coollabscoolify
4.0.0:beta82
coollabscoolify
4.0.0:beta83
coollabscoolify
4.0.0:beta84
coollabscoolify
4.0.0:beta85
coollabscoolify
4.0.0:beta86
coollabscoolify
4.0.0:beta87
coollabscoolify
4.0.0:beta88
coollabscoolify
4.0.0:beta89
coollabscoolify
4.0.0:beta90
coollabscoolify
4.0.0:beta91
coollabscoolify
4.0.0:beta92
coollabscoolify
4.0.0:beta93
coollabscoolify
4.0.0:beta94
coollabscoolify
4.0.0:beta95
coollabscoolify
4.0.0:beta96
coollabscoolify
4.0.0:beta97
coollabscoolify
4.0.0:beta98
coollabscoolify
4.0.0:beta99
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/coollabsio/coolify/security/advisories/GHSA-3w2c-jfr2-9pg9