CVE-2025-59955

Summary

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Coolify versions prior to and including v4.0.0-beta.420.8 have an information disclosure vulnerability in the /api/v1/teams/{team_id}/members and /api/v1/teams/current/members API endpoints allows authenticated team members to access a highly sensitive email_change_code from other users on the same team. This code is intended for a single-use email change verification and should be kept secret. Its exposure could enable a malicious actor to perform an unauthorized email address change on behalf of the victim. As of time of publication, no known patched versions exist.

Affected Software

VendorProductVersion RangeStatus
coollabsiocoolify<= 4.0.0-beta.428affected

Weaknesses

  • CWE-201: CWE-201: Insertion of Sensitive Information Into Sent Data
  • CWE-212: CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer
  • CWE-214: CWE-214: Invocation of Process Using Visible Sensitive Information

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References