QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2025-64425

Back to search

CVE-2025-64425

Published: Jan 5, 2026

Modified: Jan 5, 2026

PUBLISHED

Description

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions up to and including v4.0.0-beta.434, an attacker can initiate a password reset for a victim, and modify the host header of the request to a malicious value. The victim will receive a password reset email, with a link to the malicious host. If the victim clicks this link, their reset token is sent to the attacker's server, allowing the attacker to use it to change the victim's password and takeover their account. As of time of publication, it is unclear if a patch is available.

VendorProductVersions

coollabsio

coolify

affected
<= 4.0.0-beta.434

Weaknesses (CWE)

CWE-644

References

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now