CVE-2025-64422
Rate Limit Bypass in Coolify /login Enables Unlimited Brute Force
Publication date: 2026-01-05
Last updated on: 2026-01-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| coollabsio | coolify | From 4.0.0-beta.434 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a rate-limit bypass in Coolify's /login endpoint starting from version 4.0.0-beta.434. Although the endpoint advertises a limit of 5 login attempts per client IP, it relies solely on the X-Forwarded-For HTTP header to identify the client IP. An attacker can rotate the X-Forwarded-For header value with each request, effectively resetting the rate limit counter repeatedly and bypassing the limit. This allows unlimited credential stuffing and brute-force attacks against user and admin accounts without needing an authenticated session beyond visiting the login page. [1]
How can this vulnerability impact me? :
The vulnerability enables attackers to perform unlimited brute-force login attempts, potentially leading to account takeover of both user and administrative accounts. This can result in compromise of all deployments, exposure of secrets and infrastructure, service disruption, data breaches, and other severe security consequences. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability can negatively impact compliance with standards such as GDPR and HIPAA because successful exploitation may lead to unauthorized access, data breaches, and exposure of sensitive personal or protected health information, which are violations of these regulations' requirements for data protection and security. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring the /login endpoint for unusual login request patterns, especially repeated login attempts with varying X-Forwarded-For header values that bypass the rate limit. A proof-of-concept involves sending multiple login requests with incrementing X-Forwarded-For IP addresses and observing if the rate limit resets (e.g., via X-RateLimit-* headers). You can use tools like curl or custom scripts to test this behavior. For example, a curl command rotating the X-Forwarded-For header in repeated login POST requests to /login and checking for 302 responses and rate-limit headers can help detect the bypass. Specific commands are not provided, but a Python script proof-of-concept exists demonstrating this technique. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Derive client IP only from trusted proxy chains and ignore arbitrary X-Forwarded-For headers unless behind a configured reverse proxy. 2) Apply rate limiting keyed to both username/email and verified client IP. 3) Implement exponential backoff or fixed cooldowns per account after repeated failures, possibly including temporary account lockouts. 4) Enable multi-factor authentication (MFA) for privileged accounts, supporting WebAuthn or authenticator-based 2FA. 5) Add alerting for repeated failed login attempts and deploy CAPTCHA challenges after thresholds. Since no patch is currently available, these mitigations help reduce the risk of unlimited brute-force attacks. [1]