Skip to content

GitHub / GitLab OAuth Secrets Leak

High
andrasbacsai published GHSA-8w24-gfgq-jg72 Jan 24, 2025

Package

coolify (coollabsio)

Affected versions

< v4.0.0-beta.361

Patched versions

v4.0.0-beta.361

Description

The missing authorization allows any authenticated user to fetch the details page for any GitHub / GitLab configuration on a coolify instance by only knowing the UUID of the model.
This exposes the "client id", "client secret" and "webhook secret"

PoC

https://your-own-coolify.instance/source/github/<UUID>
https://your-own-coolify.instance/source/gitlab/<UUID>

Severity

High

CVE ID

CVE-2025-22607

Weaknesses

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. Learn more on MITRE.

Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action. Learn more on MITRE.

Credits