Coolify versions prior to v4.0.0-beta.420.7 are vulnerable to a remote code execution vulnerability in the project deployment workflow. The platform allows authenticated users, with low-level member privileges, to inject arbitrary shell commands via the Git Repository field during project creation. By submitting a crafted repository string containing command injection syntax, an attacker can execute arbitrary commands on the underlying host system, resulting in full server compromise.
Metrics
Affected Vendors & Products
References
History
Wed, 27 Aug 2025 19:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
Wed, 27 Aug 2025 17:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | Coolify versions prior to v4.0.0-beta.420.7 are vulnerable to a remote code execution vulnerability in the project deployment workflow. The platform allows authenticated users, with low-level member privileges, to inject arbitrary shell commands via the Git Repository field during project creation. By submitting a crafted repository string containing command injection syntax, an attacker can execute arbitrary commands on the underlying host system, resulting in full server compromise. | |
Title | Coolify Git Repository Field Command Injection in Project Deployment Workflow | |
Weaknesses | CWE-20 CWE-78 |
|
References |
| |
Metrics |
cvssV4_0
|

Status: PUBLISHED
Assigner: VulnCheck
Published:
Updated: 2025-08-27T18:14:37.824Z
Reserved: 2025-04-15T19:15:22.566Z
Link: CVE-2025-34161

Updated: 2025-08-27T18:13:44.028Z

Status : Awaiting Analysis
Published: 2025-08-27T17:15:38.297
Modified: 2025-08-29T16:24:09.860
Link: CVE-2025-34161

No data.

No data.