CVE-2025-64422
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify vstarting with version 4.0.0-beta.434, the /login endpoint advertises a rate limit of 5 requests but can be trivially bypassed by rotating the X-Forwarded-For header. This enables unlimited credential stuffing and brute-force attempts against user and admin accounts. As of time of publication, it is unclear if a patch is available.
Vendor
Product
CWE
Yayın Tarihi
2026-01-05 21:16:12
Güncelleme
2026-01-12 14:23:36
Source Identifier
security-advisories@github.com
KEV Date Added
-