Resource exhaustion in Coollabsio Coolify

CVE-2025-64422

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify vstarting with version 4.0.0-beta.434, the /login endpoint advertises a rate limit of 5 requests but can be trivially bypassed b…

EPSS: 0.000 (13.8th percentile) — read the EPSS interpretation.

Affected products

Coollabsio Coolify — versions >= 4.0.0-beta.434

Weakness classification (CWE)

CWE-770 — Allocation of Resources Without Limits or Throttling

References

https://github.com/coollabsio/coolify/security/advisories/GHSA-688j-rm43-5r8x (x_refsource_CONFIRM)