CVE-2025-22607

Jan. 24, 2025, 4:15 p.m.

None
No Score

Description

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.361, the missing authorization allows any authenticated user to fetch the details page for any GitHub / GitLab configuration on a Coolify instance by only knowing the UUID of the model. This exposes the "client id", "client secret" and "webhook secret." Version 4.0.0-beta.361 fixes this issue.

Product(s) Impacted

Product Versions
Coolify
  • ['before 4.0.0-beta.361']

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References

https://github.com/coollabsio/coolify/security/advisories/GHSA-8w24-gfgq-jg72

Tags

security-advisories@github.com
CWE-200
2025-01-24
CVE-2025-22607

Timeline

Published: Jan. 24, 2025, 4:15 p.m.
Last Modified: Jan. 24, 2025, 4:15 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.