Vulnerability Description
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions up to and including v4.0.0-beta.434, a low privileged user (member) can see and use invitation links sent to an administrator. When they use the link before the legitimate recipient does, they are able to log in as an administrator, meaning they have successfully escalated their privileges. As of time of publication, it is unclear if a patch is available.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Coollabs | Coolify | < 4.0.0 |
Related Weaknesses (CWE)
References
- https://github.com/coollabsio/coolify/security/advisories/GHSA-4fqm-797g-7m6jExploitVendor Advisory
- https://github.com/coollabsio/coolify/security/advisories/GHSA-4fqm-797g-7m6jExploitVendor Advisory
FAQ
What is CVE-2025-64423?
CVE-2025-64423 is a vulnerability with a CVSS score of 8.8 (HIGH). Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions up to and including v4.0.0-beta.434, a low privileged user (member) can see and ...
How severe is CVE-2025-64423?
CVE-2025-64423 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-64423?
Check the references section above for vendor advisories and patch information. Affected products include: Coollabs Coolify.