CRITICAL🇵🇱 Wersja polska

CVE-2025-59157

CVSS 9.9v3.1pub. 2026-01-05upd. 2026-01-12

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.420.7, the Git Repository field during project creation is vulnerable to command injection. User input is not properly sanitized, allowing attackers to inject arbitrary shell commands that execute on the underlying server during the deployment workflow. A regular member user can exploit this vulnerability. Version 4.0.0-beta.420.7 contains a patch for the issue.

🤖 AI Analysis
How it works

When creating a new project, the 'Git Repository' field does not subject user input to appropriate sanitization. An attacker can enter a malicious string containing embedded system shell commands. The entered data is then passed directly to the server execution environment during the deployment workflow, resulting in the execution of injected commands on the base server.

Impact

An attacker with regular member privileges can execute arbitrary commands on the server, gaining full control over the confidentiality, integrity, and availability of the system, potentially exceeding the boundaries of environment isolation.

Mitigation & patch

Coolify should be updated to version 4.0.0-beta.420.7 or later, which contains a patch eliminating the vulnerability. Details available in the vendor references: https://github.com/coollabsio/coolify/security/advisories/GHSA-5cg9-38qj-8mc3

Who is affected

Coolify (Coollabs) in versions prior to 4.0.0-beta.420.7

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Coollabs Coolify

    APP
    Coollabs
    4.0.0< 4.0.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Command Injection
CWE
References

Related vulnerabilities

CVE-2025-64419CRITICAL9.6PL ✓ten sam produkt

Command injection w Coolify via docker-compose.yaml — RCE jako root

CVE-2025-64420CRITICAL9.9PL ✓ten sam produkt

Coolify: nieuprawniony dostęp do prywatnego klucza SSH użytkownika root

CVE-2025-59156CRITICAL9.4PL ✓ten sam produkt

RCE w Coolify — command injection w konfiguracji Docker Compose

CVE-2025-59158CRITICAL9.4PL ✓ten sam produkt

Stored XSS w Coolify — atak przez złośliwą nazwę projektu

CVE-2025-64424CRITICAL9.4PL ✓ten sam produkt

Command injection w Coolify — wykonanie poleceń jako root przez użytkownika