Unrated severityOSV Advisory· Published Jan 5, 2026· Updated Jan 5, 2026

Coolify has host header injection in forgot password

CVE-2025-64425

Description

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions up to and including v4.0.0-beta.434, an attacker can initiate a password reset for a victim, and modify the host header of the request to a malicious value. The victim will receive a password reset email, with a link to the malicious host. If the victim clicks this link, their reset token is sent to the attacker's server, allowing the attacker to use it to change the victim's password and takeover their account. As of time of publication, it is unclear if a patch is available.

Affected products

Coollabsio/CoolifyOSV
Range: 4.0.0-beta.39, 4.0.0-beta.40, v1.0.0, …

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

drive.google.com/file/d/1I5sJHcpetJbKlwVS2usAD7qmgH37Y4rw/viewmitrex_refsource_MISC
github.com/coollabsio/coolify/security/advisories/GHSA-f737-2p93-g2cwmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000