Coolify versions prior to v4.0.0-beta.420.7 are vulnerable to a remote code execution vulnerability in the project deployment workflow. The platform allows authenticated users, with low-level member privileges, to inject arbitrary shell commands via the Git Repository field during project creation. By submitting a crafted repository string containing command injection syntax, an attacker can execute arbitrary commands on the underlying host system, resulting in full server compromise.
History

Wed, 27 Aug 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 27 Aug 2025 17:00:00 +0000

Type Values Removed Values Added
Description Coolify versions prior to v4.0.0-beta.420.7 are vulnerable to a remote code execution vulnerability in the project deployment workflow. The platform allows authenticated users, with low-level member privileges, to inject arbitrary shell commands via the Git Repository field during project creation. By submitting a crafted repository string containing command injection syntax, an attacker can execute arbitrary commands on the underlying host system, resulting in full server compromise.
Title Coolify Git Repository Field Command Injection in Project Deployment Workflow
Weaknesses CWE-20
CWE-78
References
Metrics cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2025-08-27T18:14:37.824Z

Reserved: 2025-04-15T19:15:22.566Z

Link: CVE-2025-34161

cve-icon Vulnrichment

Updated: 2025-08-27T18:13:44.028Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2025-08-27T17:15:38.297

Modified: 2025-08-29T16:24:09.860

Link: CVE-2025-34161

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.