What is the CVSS score of CVE-2025-64425?

CVE-2025-64425 has a CVSS 3.1 base score of 8.1 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of Coolify are affected by CVE-2025-64425?

Organizations using Coolify face notable risk from CVE-2025-64425 rated CVSS 8.1. Successful exploitation could significantly impact the confidentiality, integrity, or availability of affected…

Is there a public PoC exploit available for CVE-2025-64425?

Yes, a public proof-of-concept exploit is available for CVE-2025-64425. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2025-64425?

Within 7 days: Identify all affected systems running Coolify and apply vendor patches promptly. Monitor vendor channels for patch availability.

Coolify CVE-2025-64425

HIGH

Improper Neutralization of HTTP Headers for Scripting Syntax (CWE-644)

2026-01-05 security-advisories@github.com

Information Disclosure Coolify

8.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

PoC Detected

Jan 12, 2026 - 18:36 vuln.today

Public exploit code

CVE Published

Jan 05, 2026 - 21:16 nvd

HIGH 8.1

DescriptionNVD

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions up to and including v4.0.0-beta.434, an attacker can initiate a password reset for a victim, and modify the host header of the request to a malicious value. The victim will receive a password reset email, with a link to the malicious host. If the victim clicks this link, their reset token is sent to the attacker's server, allowing the attacker to use it to change the victim's password and takeover their account. As of time of publication, it is unclear if a patch is available.

AnalysisAI

Technical ContextAI

Affects Coolify. Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions up to and including v4.0.0-beta.434, an attacker can initiate a password reset for a victim, and modify the host header of the request to a malicious value. The victim will receive a password reset email, with a link to the malicious host. If the victim clicks this link, their reset token is sent to the attacker's server, allowing the attacker to use it to change the victim's p

RemediationAI

Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.

CVE-2025-64425 vulnerability details – vuln.today

Back