What is the CVSS score of CVE-2025-22612?

CVE-2025-22612 has a CVSS 3.1 base score of 10.0 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.5%.

Which versions of Coolify are affected by CVE-2025-22612?

Organizations using Coolify face critical risk from CVE-2025-22612, a information exposure vulnerability rated CVSS 10.0.

Is there a public PoC exploit available for CVE-2025-22612?

Yes, a public proof-of-concept exploit is available for CVE-2025-22612. Prioritise patching immediately. EPSS: 0.5%.

How to fix or mitigate CVE-2025-22612?

Within 24 hours: Identify all affected systems and apply vendor patches immediately. Monitor vendor channels for patch availability.

Coolify CVE-2025-22612

CRITICAL

Information Exposure (CWE-200)

2025-01-24 security-advisories@github.com

Information Disclosure Coolify

10.0

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 18:05 vuln.today

PoC Detected

Sep 19, 2025 - 15:27 vuln.today

Public exploit code

CVE Published

Jan 24, 2025 - 17:15 nvd

CRITICAL 10.0

DescriptionNVD

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.374, the missing authorization allows an authenticated user to retrieve any existing private keys on a coolify instance in plain text. If the server configuration of IP / domain, port (most likely 22) and user (root) matches with the victim's server configuration, then the attacker can execute arbitrary commands on the remote server. Version 4.0.0-beta.374 fixes the issue.

AnalysisAI

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as Exposure of Sensitive Information (CWE-200), which allows attackers to access sensitive data that should not be disclosed. Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.374, the missing authorization allows an authenticated user to retrieve any existing private keys on a coolify instance in plain text. If the server configuration of IP / domain, port (most likely 22) and user (root) matches with the victim's server configuration, then the attacker can execute arbitrary commands on the remote server. Version 4.0.0-beta.374 fixes the issue. Affected products include: Coollabs Coolify. Version information: version 4.0.0.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Minimize information in error messages, implement proper access controls, encrypt sensitive data at rest and in transit.

CVE-2025-22612 vulnerability details – vuln.today

Back

Coolify CVE-2025-22612

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code