How severe is CVE-2025-22609?

This vulnerability has a severity rating of CRITICAL with a CVSS score of 10 out of 10.

What type of vulnerability is CVE-2025-22609?

This is classified as CWE-862, which is a common weakness in software security.

CVE-2025-22609 - CRITICAL Severity | CVSS 10

Vulnerability Description

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.361, the missing authorization allows any authenticated user to attach any existing private key on a coolify instance to his own server. If the server configuration of IP / domain, port (most likely 22) and user (root) matches with the victim's server configuration, then the attacker can use the `Terminal` feature and execute arbitrary commands on the victim's server. Version 4.0.0-beta.361 fixes the issue.

Related Vulnerabilities

CVE-2021-37535

CRITICAL

CVSS:10.0(Critical)

SAP NetWeaver Application Server Java (JMS Connector Service) - versions 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not perform necessary authorization checks for user privileges.

CWE-8622021

CVE-2022-0543

CRITICAL

CVSS:10.0(Critical)

It was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a (Debian-specific) Lua sandbox escape, which could result in remote code execution.

CWE-8622022

CVE-2024-33566

CRITICAL

CVSS:10.0(Critical)

Missing Authorization vulnerability in N-Media OrderConvo allows OS Command Injection.This issue affects OrderConvo: from n/a through 12.4.

CWE-8622024

CVE-2024-52416

CRITICAL

CVSS:10.0(Critical)

Missing Authorization vulnerability in Eugen Bobrowski Debug Tool allows Upload a Web Shell to a Web Server.This issue affects Debug Tool: from n/a through 2.2.

CWE-8622024

CVE-2024-6071

CRITICAL

CVSS:10.0(Critical)

PTC Creo Elements/Direct License Server exposes a web interface which can be used by unauthenticated remote attackers to execute arbitrary OS commands on the server.

CWE-8622024

CVE-2024-6500

CRITICAL

CVSS:10.0(Critical)

The InPost for WooCommerce plugin and InPost PL plugin for WordPress are vulnerable to unauthorized access and deletion of data due to a missing capability check on the 'parse_request' function in all...

CWE-8622024