Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.420.7, the Git Repository field during project creation is vulnerable to command injection. User input is not properly sanitized, allowing attackers to inject arbitrary shell commands that execute on the underlying server during the deployment workflow. A regular member user can exploit this vulnerability. Version 4.0.0-beta.420.7 contains a patch for the issue.
When creating a new project, the 'Git Repository' field does not subject user input to appropriate sanitization. An attacker can enter a malicious string containing embedded system shell commands. The entered data is then passed directly to the server execution environment during the deployment workflow, resulting in the execution of injected commands on the base server.
An attacker with regular member privileges can execute arbitrary commands on the server, gaining full control over the confidentiality, integrity, and availability of the system, potentially exceeding the boundaries of environment isolation.
Coolify should be updated to version 4.0.0-beta.420.7 or later, which contains a patch eliminating the vulnerability. Details available in the vendor references: https://github.com/coollabsio/coolify/security/advisories/GHSA-5cg9-38qj-8mc3
Coolify (Coollabs) in versions prior to 4.0.0-beta.420.7
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HCoollabs Coolify
APPCoollabs4.0.0< 4.0.0
Related vulnerabilities
Command injection w Coolify via docker-compose.yaml — RCE jako root
Coolify: nieuprawniony dostęp do prywatnego klucza SSH użytkownika root
RCE w Coolify — command injection w konfiguracji Docker Compose
Stored XSS w Coolify — atak przez złośliwą nazwę projektu
Command injection w Coolify — wykonanie poleceń jako root przez użytkownika