CVE-2025-24025
6.1 MEDIUM
📋 TL;DR
Coolify versions before 4.0.0-beta.380 contain a reflected cross-site scripting (XSS) vulnerability in the tags search functionality. When a search returns no results, the search query is improperly reflected in the error modal without proper sanitization, allowing attackers to inject malicious scripts. This affects all Coolify instances running vulnerable versions.
💻 Affected Systems
Products:
- Coolify
Versions: All versions prior to 4.0.0-beta.380
Operating Systems: All
Default Config Vulnerable:
⚠️ Yes
Notes: All deployments with the tags search functionality enabled are vulnerable.
📦 What is this software?
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, perform actions as authenticated users, deface the interface, or redirect users to malicious sites.
Likely Case
Attackers could steal user session tokens or credentials through crafted phishing links, leading to unauthorized access to the Coolify instance.
If Mitigated
With proper input validation and output encoding, the reflected content would be safely displayed without executing scripts.
🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM
🎯 Exploit Status
Public PoC:
✅ No
Weaponized:
UNKNOWN
Unauthenticated Exploit:
⚠️ Yes
Complexity:
LOW
Exploitation requires user interaction (clicking a malicious link) but doesn't require authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.0.0-beta.380
Vendor Advisory: https://github.com/coollabsio/coolify/security/advisories/GHSA-f2gf-jvmh-vq73
Restart Required: Yes
Instructions:
1. Backup your Coolify instance. 2. Update to version 4.0.0-beta.380 or later using your package manager or deployment method. 3. Restart the Coolify service.
🔧 Temporary Workarounds
Disable tags search
allTemporarily disable the tags search functionality to prevent exploitation.
Implement WAF rules
allConfigure web application firewall rules to block XSS payloads in query parameters.
🧯 If You Can't Patch
- Implement Content Security Policy (CSP) headers to restrict script execution
- Deploy a reverse proxy with XSS filtering capabilities
🔍 How to Verify
Check if Vulnerable:
Navigate to the tags page and search for a payload like <script>alert('XSS')</script>. If an alert appears, the instance is vulnerable.Check Version:
Check the Coolify web interface dashboard or run the appropriate version command for your deployment method.Verify Fix Applied:
After updating, repeat the vulnerable payload test. No script execution should occur.📡 Detection & Monitoring
Log Indicators:
- Unusual search queries containing script tags or JavaScript code in tags search requests
Network Indicators:
- HTTP requests to tags endpoint with suspicious query parameters
SIEM Query:
source="coolify" AND uri_path="/tags" AND query_string CONTAINS "<script>"