Coolify Password Reset Vulnerability with Host Header Injection Leading to Account Takeover
Vulnerability
A vulnerability in Coolify, an open-source tool for managing servers and applications, allows an attacker to hijack a user's account by exploiting the password reset process. In versions up to and including v4.0.0-beta.434, an attacker can modify the host header of a password reset request to a malicious value. This manipulation directs the password reset token to the attacker's server instead of the victim's. Once the token is intercepted, the attacker can use it to reset the victim's password and gain access to their account.
Impact
Exploitation of this vulnerability allows for unauthorized account access, enabling an attacker to take over a victim's account by intercepting and using their password reset token.
Reproduction
To reproduce this vulnerability, intercept a password reset request using a proxy tool like Burp Suite. Change the host header to a domain controlled by the attacker, then forward the request. When the victim clicks the link in the password reset email, the reset token is sent to the attacker's server instead of the victim's.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.