CVE-2025-64422 is a vulnerability classified under CWE-770, indicating allocation of resources without limits or throttling, found in Coolify versions starting from 4.0.0-beta.434. Coolify is an open-source, self-hosted platform used for managing servers, applications, and databases. The vulnerability resides in the /login endpoint, which advertises a rate limit of 5 login attempts to prevent brute-force attacks. However, this rate limiting can be trivially bypassed by manipulating the X-Forwarded-For HTTP header, which is commonly used to identify the originating IP address of a client connecting through a proxy or load balancer. By rotating or spoofing this header, an attacker can circumvent the rate limit and perform unlimited login attempts. This flaw enables credential stuffing and brute-force attacks against both user and administrative accounts without requiring authentication or user interaction. The CVSS 4.0 base score is 5.5 (medium severity), reflecting network attack vector, low attack complexity, no privileges or user interaction required, and limited impact on availability. No patch or fix is currently available, and no known exploits have been reported in the wild. This vulnerability poses a risk of unauthorized access, potentially compromising confidentiality and integrity of managed systems and data within Coolify environments.

For European organizations, this vulnerability presents a significant risk to the security of server and application management infrastructure. Coolify is used to manage critical resources such as servers, applications, and databases, so successful brute-force attacks could lead to unauthorized access to administrative accounts, enabling attackers to manipulate or disrupt services, exfiltrate sensitive data, or deploy further attacks. The bypass of rate limiting increases the likelihood of successful credential stuffing attacks, especially if weak or reused passwords are present. This could lead to data breaches, service outages, and loss of trust. Organizations with internet-facing Coolify instances are particularly vulnerable. The impact extends to confidentiality and integrity, as attackers gaining access could alter configurations or access sensitive information. Availability impact is limited but possible if attackers disrupt services post-compromise. The medium CVSS score reflects these considerations but the ease of exploitation and lack of required privileges heighten the urgency for mitigation.

1. Implement robust rate limiting that cannot be bypassed by header manipulation; specifically, do not rely solely on the X-Forwarded-For header for client IP identification. 2. Configure Coolify or the underlying web server to validate and sanitize incoming headers to prevent spoofing. 3. Deploy Web Application Firewalls (WAFs) with anomaly detection capabilities to identify and block unusual login patterns or rapid repeated attempts from varying IP addresses. 4. Enforce strong password policies and encourage multi-factor authentication (MFA) for all user accounts, especially administrative ones. 5. Monitor login logs for suspicious activity, such as high volumes of failed login attempts or unusual IP address patterns. 6. Isolate Coolify management interfaces behind VPNs or internal networks where possible to reduce exposure. 7. Stay informed about updates from Coolify developers and apply patches promptly once available. 8. Consider implementing account lockout policies after a threshold of failed login attempts to further hinder brute-force attacks.