CVE-2025-64425 affects Coolify, an open-source, self-hostable platform for managing servers, applications, and databases. The vulnerability arises from improper neutralization of HTTP headers, specifically the Host header, during the password reset process. An unauthenticated attacker can initiate a password reset for any victim and supply a malicious Host header value. Coolify then sends the password reset email containing a link with this attacker-controlled host. When the victim clicks the link, the reset token embedded in the URL is sent to the attacker’s server. This token can be used by the attacker to reset the victim’s password and gain unauthorized access to their account. The vulnerability is classified under CWE-644, indicating improper neutralization of HTTP headers for scripting syntax, which leads to token leakage. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required, user interaction required, and high impact on confidentiality and integrity. No patch or fix is currently confirmed, and no active exploitation has been reported. This vulnerability is particularly dangerous because it enables account takeover without requiring credentials or elevated privileges, relying solely on social engineering to trick victims into clicking the malicious link. Organizations relying on Coolify for critical infrastructure management face risks of unauthorized access, potential data breaches, and disruption of services if attackers leverage this flaw.

For European organizations, the impact of this vulnerability can be significant, especially for those using Coolify to manage critical servers, applications, or databases. Successful exploitation leads to account takeover, which can result in unauthorized access to sensitive infrastructure, data exfiltration, or disruption of services. Attackers could pivot from compromised accounts to further internal systems, increasing the scope of damage. The social engineering component (victim clicking the malicious link) means that user awareness and training are critical but not foolproof. The lack of a confirmed patch increases exposure time. Organizations in sectors with high regulatory scrutiny (finance, healthcare, government) face additional compliance risks and potential fines if breaches occur. Furthermore, the open-source nature of Coolify means that smaller organizations or those with limited security resources may be disproportionately vulnerable. The vulnerability’s network-based attack vector and no requirement for authentication make it accessible to remote attackers, increasing the threat surface across Europe.

1. Immediately audit all Coolify instances to identify versions at or below 4.0.0-beta.434 and prioritize upgrading once a patch is released. 2. Until a patch is available, implement strict validation and sanitization of Host headers at the web server or reverse proxy level to reject or rewrite suspicious Host values. 3. Configure email templates and password reset workflows to use fixed, trusted domain names rather than dynamically reflecting the Host header. 4. Employ multi-factor authentication (MFA) on all Coolify accounts to reduce the impact of compromised credentials. 5. Educate users about phishing risks, specifically warning them not to click password reset links from unexpected emails. 6. Monitor logs for unusual password reset requests and anomalous Host header values. 7. Consider deploying web application firewalls (WAFs) with rules to detect and block Host header injection attempts. 8. Isolate Coolify management interfaces behind VPNs or internal networks where possible to reduce exposure. 9. Prepare incident response plans to quickly revoke and reset compromised accounts if exploitation is suspected. 10. Engage with the Coolify community or vendor for updates and patches, and subscribe to vulnerability advisories.