CVE 8.5 HIGH

Coolify has host header injection in forgot password_CVE-2025-64425

January 5, 2026 invoker category_cve

8.5 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/SC:N

Description

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions up to and including v4.0.0-beta.434, an attacker can initiate a password reset for a victim, and modify the host header of the request to a malicious value. The victim will receive a password reset email, with a link to the malicious host. If the victim clicks this link, their reset token is sent to the attacker's server, allowing the attacker to use it to change the victim's password and takeover their account. As of time of publication, it is unclear if a patch is available.

AI Analysis

Host header injection vulnerability in Coolify's forgot password feature, allowing attackers to takeover user accounts.

Basic Information

ID CVE-2025-64425

Source GitHub_M

Published Jan 5, 2026 at 20:49

Affected Product

Vendor coollabsio

Product coolify

Version <= 4.0.0-beta.434

Affected Versions coollabsio coolify <= 4.0.0-beta.434

CWE Classification

CWE-644

AI Assessment

AI Score 8.5 / 10

AI Severity High

Vendor Coollabsio

Product Coolify

Version <= 4.0.0-beta.434

References

{
    "lastseen": "",
    "description": "Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions up to and including v4.0.0-beta.434, an attacker can initiate a password reset for a victim, and modify the host header of the request to a malicious value. The victim will receive a password reset email, with a link to the malicious host. If the victim clicks this link, their reset token is sent to the attacker's server, allowing the attacker to use it to change the victim's password and takeover their account. As of time of publication, it is unclear if a patch is available.",
    "published": "2026-01-05T20:49:10.727Z",
    "modified": "2026-01-05T20:49:10.727Z",
    "type": "cve",
    "title": "Coolify has host header injection in forgot password",
    "source": "GitHub_M",
    "references": "https://github.com/coollabsio/coolify/security/advisories/GHSA-f737-2p93-g2cw\nhttps://drive.google.com/file/d/1I5sJHcpetJbKlwVS2usAD7qmgH37Y4rw/view?usp=drive_link",
    "id": "CVE-2025-64425",
    "bulletinFamily": "",
    "cwe": [
        "CWE-644"
    ],
    "cvelist": null,
    "sourceData": "coollabsio coolify <= 4.0.0-beta.434",
    "sourceHref": "",
    "cvss": {
        "score": 8.5,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/SC:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "coolify",
    "version": "<= 4.0.0-beta.434",
    "vendor": "coollabsio",
    "ai_description": "Host header injection vulnerability in Coolify's forgot password feature, allowing attackers to takeover user accounts.",
    "ai_severity": "High",
    "ai_vendor": "Coollabsio",
    "ai_product": "Coolify",
    "ai_version": "<= 4.0.0-beta.434",
    "ai_score": 8.5
}

💭 Join the Security Discussion ❌ Cancel Reply