CVE-2025-64421 is an authorization bypass vulnerability classified under CWE-863 affecting Coolify, an open-source and self-hostable tool designed for managing servers, applications, and databases. The vulnerability exists in Coolify versions up to and including 4.0.0-beta.434. It allows a low privileged user, specifically a member role, to escalate privileges by exploiting a flaw in the user invitation mechanism. When a low privileged user attempts to invite a high privileged user, the application initially returns an error, preventing the action. However, if the attacker clicks the invite button a second time, the system erroneously processes the invitation, effectively granting the attacker administrative privileges. Once the attacker has invited themselves as an administrator, they can initiate a password reset for the new admin account and gain full administrative access to the Coolify instance. This vulnerability is remotely exploitable without requiring user interaction beyond the repeated invite action and does not require prior authentication beyond low privilege membership. The CVSS 4.0 base score is 8.7 (high severity), reflecting the network attack vector, low attack complexity, no privileges required, and no user interaction needed. The impact on confidentiality, integrity, and availability is high, as an attacker can fully control the affected system. As of the publication date, no patch or fix has been confirmed, and no known exploits have been reported in the wild. This vulnerability poses a critical risk to organizations relying on Coolify for infrastructure management, potentially leading to unauthorized access, data compromise, and operational disruption.

For European organizations, the impact of CVE-2025-64421 is significant due to the potential for complete administrative takeover of Coolify instances. Organizations using Coolify to manage servers, applications, or databases could face unauthorized access to sensitive data, disruption of services, and potential lateral movement within their networks. The ability for a low privileged user to escalate privileges without detection increases the risk of insider threats and external attackers exploiting compromised accounts. This could lead to data breaches, service outages, and loss of control over critical infrastructure components. Given the open-source nature of Coolify, many small to medium enterprises and development teams across Europe might deploy it, increasing the attack surface. The lack of a confirmed patch means organizations must rely on compensating controls, increasing operational overhead and risk. Regulatory compliance frameworks in Europe, such as GDPR, could be impacted if personal data is exposed due to this vulnerability, leading to legal and financial consequences.

1. Immediately audit all Coolify instances to identify affected versions (<= 4.0.0-beta.434) and restrict membership roles to trusted users only. 2. Disable or restrict the invitation functionality for low privileged users until a patch is available. 3. Implement strict monitoring and alerting on invitation-related activities, especially repeated invite attempts by low privileged users. 4. Enforce multi-factor authentication (MFA) on all administrative accounts to reduce the risk of account takeover. 5. Isolate Coolify instances from public networks where possible, limiting access to trusted internal networks or VPNs. 6. Regularly review and rotate credentials associated with Coolify admin accounts. 7. Engage with the Coolify community or vendor to track patch releases and apply updates promptly once available. 8. Consider deploying web application firewalls (WAF) with custom rules to detect and block suspicious invitation requests. 9. Conduct internal penetration testing focused on privilege escalation vectors within Coolify to identify any additional weaknesses. 10. Prepare incident response plans specifically addressing potential Coolify compromise scenarios.