Coolify Rate Limit Bypass Vulnerability in Login Endpoint Allowing Credential Stuffing

A vulnerability in Coolify versions 4.0.0-beta.434 and later allows for a rate limit bypass on the login endpoint. The endpoint, which advertises a limit of 5 requests, can be easily manipulated by rotating the X-Forwarded-For header. This exploitation enables unlimited credential stuffing and brute-force attacks against both user and admin accounts. The issue arises because the rate limit is applied per IP address, and by varying the X-Forwarded-For header, the request counter is reset, effectively bypassing the limit. Exploitation requires minimal conditions, as an attacker only needs network access to the endpoint and does not need a valid session beyond the initial anonymous session established by visiting the login page.

Impact

The vulnerability allows for unlimited brute-force attempts on the login page, significantly increasing the likelihood of account takeover, particularly for administrative accounts. Such compromises could lead to disruptions in service, unauthorized access to sensitive data and secrets, and potential regulatory issues if user accounts are affected.

Reproduction

To reproduce this vulnerability, send requests to the Coolify login endpoint while rotating the X-Forwarded-For header. Start by making a GET request to the login page to retrieve the CSRF token and session cookie. Then, use a POST request to the login endpoint, including the token, email, and password, while varying the X-Forwarded-For header to spoof the IP address. Each request will be treated as a new attempt, resetting the rate limit counter and allowing multiple login attempts without restriction.

Remediation

To address this vulnerability, Coolify should implement rate limiting based on both the client IP and the username or email being used. Additionally, the application could introduce measures such as exponential backoff after failed login attempts, temporary account locks, and alerts for repeated failed logins. Enabling multi-factor authentication for privileged accounts and incorporating CAPTCHA after a certain number of failed attempts could further mitigate the risk.