Executive Summary

This vulnerability is a rate-limit bypass in Coolify's /login endpoint starting from version 4.0.0-beta.434. Although the endpoint advertises a limit of 5 login attempts per client IP, it relies solely on the X-Forwarded-For HTTP header to identify the client IP. An attacker can rotate the X-Forwarded-For header value with each request, effectively resetting the rate limit counter repeatedly and bypassing the limit. This allows unlimited credential stuffing and brute-force attacks against user and admin accounts without needing an authenticated session beyond visiting the login page. [1]

Useful 0 Not Useful 0

Impact Analysis

The vulnerability enables attackers to perform unlimited brute-force login attempts, potentially leading to account takeover of both user and administrative accounts. This can result in compromise of all deployments, exposure of secrets and infrastructure, service disruption, data breaches, and other severe security consequences. [1]

Useful 0 Not Useful 0

Compliance Impact

This vulnerability can negatively impact compliance with standards such as GDPR and HIPAA because successful exploitation may lead to unauthorized access, data breaches, and exposure of sensitive personal or protected health information, which are violations of these regulations' requirements for data protection and security. [1]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring the /login endpoint for unusual login request patterns, especially repeated login attempts with varying X-Forwarded-For header values that bypass the rate limit. A proof-of-concept involves sending multiple login requests with incrementing X-Forwarded-For IP addresses and observing if the rate limit resets (e.g., via X-RateLimit-* headers). You can use tools like curl or custom scripts to test this behavior. For example, a curl command rotating the X-Forwarded-For header in repeated login POST requests to /login and checking for 302 responses and rate-limit headers can help detect the bypass. Specific commands are not provided, but a Python script proof-of-concept exists demonstrating this technique. [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include: 1) Derive client IP only from trusted proxy chains and ignore arbitrary X-Forwarded-For headers unless behind a configured reverse proxy. 2) Apply rate limiting keyed to both username/email and verified client IP. 3) Implement exponential backoff or fixed cooldowns per account after repeated failures, possibly including temporary account lockouts. 4) Enable multi-factor authentication (MFA) for privileged accounts, supporting WebAuthn or authenticator-based 2FA. 5) Add alerting for repeated failed login attempts and deploy CAPTCHA challenges after thresholds. Since no patch is currently available, these mitigations help reduce the risk of unlimited brute-force attacks. [1]

Useful 0 Not Useful 0