CVE-2025-64425
Host Header Injection in Coolify Enables Account Takeover via Password Reset
Publication date: 2026-01-05
Last updated on: 2026-01-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| coollabsio | coolify | to 4.0.0-beta.434 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-644 | The product does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Coolify (up to v4.0.0-beta.434) allows an attacker to manipulate the host header in a password reset request. The attacker initiates a password reset for a victim but changes the host header to a malicious domain. The victim receives a reset email with a link pointing to the attacker's domain. If the victim clicks the link, their reset token is sent to the attacker, who can then use it to reset the victim's password and take over their account. [2]
How can this vulnerability impact me? :
The vulnerability can lead to a full account takeover. An attacker can obtain a victim's password reset token by tricking them into clicking a malicious link, then use that token to change the victim's password and gain unauthorized access to their account. This compromises the victim's account confidentiality and integrity. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring password reset requests for unusual or manipulated Host headers. Using a proxy tool like Burp Suite to intercept and inspect password reset HTTP requests can reveal if the Host header is being altered to a malicious domain. Network monitoring tools or logs should be checked for password reset requests where the Host header does not match the legitimate domain. Specific commands are not provided in the resources, but using Burp Suite or similar HTTP proxy tools to capture and modify requests is suggested. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include preventing attackers from manipulating the Host header in password reset requests. Since no patch is available at the time of the advisory, it is recommended to monitor and restrict Host header values to only legitimate domains on the server side. Additionally, educating users not to click on suspicious password reset links and implementing additional verification steps in the password reset flow can help reduce risk. [2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an attacker to take over user accounts by intercepting password reset tokens, leading to unauthorized access to personal data. Such unauthorized access and potential data breaches can result in non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding user data and preventing unauthorized access. Therefore, the vulnerability negatively impacts compliance with these common standards and regulations. [2]