CVE-2025-64425
Unknown Unknown - Not Provided
Host Header Injection in Coolify Enables Account Takeover via Password Reset

Publication date: 2026-01-05

Last updated on: 2026-01-05

Assigner: GitHub, Inc.

Description
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions up to and including v4.0.0-beta.434, an attacker can initiate a password reset for a victim, and modify the host header of the request to a malicious value. The victim will receive a password reset email, with a link to the malicious host. If the victim clicks this link, their reset token is sent to the attacker's server, allowing the attacker to use it to change the victim's password and takeover their account. As of time of publication, it is unclear if a patch is available.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-05
Last Modified
2026-01-05
Generated
2026-06-16
AI Q&A
2026-01-06
EPSS Evaluated
2026-06-15
NVD
CVE-2025-64425
EUVD
EUVD-2025-206233
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
coollabsio coolify to 4.0.0-beta.434 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-644 The product does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows an attacker to take over user accounts by intercepting password reset tokens, leading to unauthorized access to personal data. Such unauthorized access and potential data breaches can result in non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding user data and preventing unauthorized access. Therefore, the vulnerability negatively impacts compliance with these common standards and regulations. [2]

Executive Summary

This vulnerability in Coolify (up to v4.0.0-beta.434) allows an attacker to manipulate the host header in a password reset request. The attacker initiates a password reset for a victim but changes the host header to a malicious domain. The victim receives a reset email with a link pointing to the attacker's domain. If the victim clicks the link, their reset token is sent to the attacker, who can then use it to reset the victim's password and take over their account. [2]

Impact Analysis

The vulnerability can lead to a full account takeover. An attacker can obtain a victim's password reset token by tricking them into clicking a malicious link, then use that token to change the victim's password and gain unauthorized access to their account. This compromises the victim's account confidentiality and integrity. [2]

Detection Guidance

This vulnerability can be detected by monitoring password reset requests for unusual or manipulated Host headers. Using a proxy tool like Burp Suite to intercept and inspect password reset HTTP requests can reveal if the Host header is being altered to a malicious domain. Network monitoring tools or logs should be checked for password reset requests where the Host header does not match the legitimate domain. Specific commands are not provided in the resources, but using Burp Suite or similar HTTP proxy tools to capture and modify requests is suggested. [2]

Mitigation Strategies

Immediate mitigation steps include preventing attackers from manipulating the Host header in password reset requests. Since no patch is available at the time of the advisory, it is recommended to monitor and restrict Host header values to only legitimate domains on the server side. Additionally, educating users not to click on suspicious password reset links and implementing additional verification steps in the password reset flow can help reduce risk. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-64425. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart