CVE-2025-22607
5.5 MEDIUM
📋 TL;DR
This vulnerability allows any authenticated user in Coolify to access sensitive GitHub/GitLab configuration details (client ID, client secret, webhook secret) by simply knowing the UUID of the configuration. This affects all Coolify instances running versions before 4.0.0-beta.361.
💻 Affected Systems
Products:
- Coolify
Versions: All versions prior to 4.0.0-beta.361
Operating Systems: All platforms where Coolify runs
Default Config Vulnerable:
⚠️ Yes
Notes: This affects all Coolify deployments regardless of configuration. The vulnerability exists in the authorization logic for GitHub/GitLab configuration endpoints.
📦 What is this software?
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal OAuth credentials and webhook secrets, potentially gaining unauthorized access to connected GitHub/GitLab repositories and performing malicious actions under the compromised identity.
Likely Case
Authenticated users within the Coolify instance could exfiltrate sensitive configuration data, potentially leading to unauthorized access to version control systems and their resources.
If Mitigated
With proper access controls and patching, only authorized administrators can access sensitive configuration data, preventing credential exposure.
🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM
🎯 Exploit Status
Public PoC:
✅ No
Weaponized:
LIKELY
Unauthenticated Exploit:
✅ No
Complexity:
LOW
Exploitation requires authenticated access to Coolify but is trivial once authenticated - attackers only need to know or guess UUIDs of GitHub/GitLab configurations.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.0.0-beta.361
Vendor Advisory: https://github.com/coollabsio/coolify/security/advisories/GHSA-8w24-gfgq-jg72
Restart Required: Yes
Instructions:
1. Update Coolify to version 4.0.0-beta.361 or later. 2. Restart the Coolify service. 3. Verify the update was successful by checking the version.
🔧 Temporary Workarounds
Restrict Access to Configuration Endpoints
allImplement network-level access controls to restrict which users can reach the GitHub/GitLab configuration endpoints.
Rotate Exposed Credentials
allIf credentials may have been exposed, immediately rotate GitHub/GitLab OAuth client secrets and webhook secrets.
🧯 If You Can't Patch
- Implement strict access controls and monitor for unauthorized access to configuration endpoints
- Rotate all GitHub/GitLab OAuth credentials and webhook secrets immediately
🔍 How to Verify
Check if Vulnerable:
Check if your Coolify version is below 4.0.0-beta.361. Authenticated users can test by attempting to access GitHub/GitLab configuration endpoints with known UUIDs.Check Version:
coolify --version or check the Coolify web interface settings/version pageVerify Fix Applied:
After updating to 4.0.0-beta.361 or later, verify that authenticated users without proper authorization can no longer access GitHub/GitLab configuration details.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to /api/v1/github/* or /api/v1/gitlab/* endpoints
- Multiple failed authorization checks for configuration endpoints
Network Indicators:
- Unusual patterns of requests to GitHub/GitLab configuration endpoints from non-admin users
SIEM Query:
source="coolify" AND (uri_path="/api/v1/github/*" OR uri_path="/api/v1/gitlab/*") AND user_role!="admin" AND response_code=200