CVE-2025-64425 (CNNVD-202601-821)
中文标题:
Coolify 安全漏洞
英文标题:
Coolify has host header injection in forgot password
漏洞描述
中文描述:
Coolify是coolLabs开源的一个开源和自托管的 Heroku/Netlify/Vercel 替代品。 Coolify v4.0.0-beta.434及之前版本存在安全漏洞,该漏洞源于可修改密码重置请求的主机标头,可能导致账户接管。
英文描述:
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions up to and including v4.0.0-beta.434, an attacker can initiate a password reset for a victim, and modify the host header of the request to a malicious value. The victim will receive a password reset email, with a link to the malicious host. If the victim clicks this link, their reset token is sent to the attacker's server, allowing the attacker to use it to change the victim's password and takeover their account. As of time of publication, it is unclear if a patch is available.
CWE类型:
标签:
受影响产品
| 厂商 | 产品 | 版本 | 版本范围 | 平台 | CPE |
|---|---|---|---|---|---|
| coollabsio | coolify | <= 4.0.0-beta.434 | - | - |
cpe:2.3:a:coollabsio:coolify:<=_4.0.0-beta.434:*:*:*:*:*:*:*
|
| coollabs | coolify | * | - | - |
cpe:2.3:a:coollabs:coolify:*:*:*:*:*:*:*:*
|
| coollabs | coolify | 4.0.0 | - | - |
cpe:2.3:a:coollabs:coolify:4.0.0:beta100:*:*:*:*:*:*
|
解决方案
中文解决方案:
英文解决方案:
临时解决方案:
CVSS评分详情
4.0 (cna)
HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
时间信息
利用信息
数据源详情
| 数据源 | 记录ID | 版本 | 提取时间 |
|---|---|---|---|
| CVE | cve_CVE-2025-64425 |
2026-01-07 02:47:01 | 2026-01-12 02:12:18 |
| NVD | nvd_CVE-2025-64425 |
2026-01-09 03:00:07 | 2026-01-12 02:28:00 |
| CNNVD | cnnvd_CNNVD-202601-821 |
2026-01-11 06:15:06 | 2026-01-12 02:38:16 |
版本与语言
安全公告
变更历史
查看详细变更
- affected_products_count: 1 -> 3
查看详细变更
- vulnerability_type: 未提取 -> 其他
- cnnvd_id: 未提取 -> CNNVD-202601-821
- data_sources: ['cve', 'nvd'] -> ['cnnvd', 'cve', 'nvd']
查看详细变更
- data_sources: ['cve'] -> ['cve', 'nvd']