CVE-2025-34161 Overview
CVE-2025-34161 is a critical command injection vulnerability in Coolify, an open-source self-hosted PaaS platform developed by Coollabs. The flaw exists in the project deployment workflow of versions prior to v4.0.0-beta.420.7. Authenticated users with low-level member privileges can inject arbitrary shell commands through the Git Repository field during project creation. By submitting a crafted repository string containing shell metacharacters, attackers execute arbitrary commands on the underlying host. Successful exploitation results in full server compromise, including access to deployed applications, secrets, and adjacent infrastructure.
Critical Impact
Authenticated low-privilege users can achieve remote code execution on the Coolify host, leading to full server takeover and lateral movement across hosted projects.
Affected Products
- Coollabs Coolify versions 4.0.0-beta.18 through 4.0.0-beta.420.6
- All Coolify v4 beta releases prior to v4.0.0-beta.420.7
- Self-hosted Coolify deployments exposing the project creation interface to authenticated members
Discovery Timeline
- 2025-08-27 - CVE-2025-34161 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-34161
Vulnerability Analysis
The vulnerability is classified under [CWE-78] (OS Command Injection) and [CWE-20] (Improper Input Validation). Coolify accepts a Git repository string from authenticated members during project creation and passes it to underlying shell operations without sufficient sanitization. The platform invokes git commands against the user-supplied value as part of its deployment pipeline. When the input contains shell metacharacters such as backticks, semicolons, or $() constructs, the host shell interprets them as command separators. The injected commands execute under the Coolify service account, which typically runs Docker operations and holds privileged access to the host. Because Coolify orchestrates containers, network configuration, and credential stores, code execution at this layer compromises every project managed by the instance.
Root Cause
The root cause is the lack of input validation and shell-safe argument handling on the Git Repository field. Coolify treats the field as a trusted parameter and interpolates it into shell command strings rather than passing it as an isolated argument vector. Authorization checks limit the action to authenticated users, but member-level accounts are sufficient to reach the vulnerable code path.
Attack Vector
An attacker with member-tier credentials authenticates to the Coolify web interface and initiates project creation. In the Git Repository input, the attacker supplies a string that combines a legitimate-looking URL with appended shell syntax such as a command substitution sequence. When Coolify dispatches the deployment workflow, the shell expands the injected payload, executing attacker-controlled commands. The attack requires network access to the Coolify management interface and a valid low-privilege account. Public proof-of-concept material is referenced at GitHub CVE-2025-34161 PoC.
The vulnerability is exploited through the Git Repository field during project creation. An attacker submits a value that combines a benign repository path with shell metacharacters, and the unsanitized string is passed to the system shell when Coolify invokes git operations during deployment. See the GitHub CVE-2025-34161 PoC for technical details of the payload structure.
Detection Methods for CVE-2025-34161
Indicators of Compromise
- Unexpected child processes spawned by the Coolify service or git binary, such as sh, bash, curl, wget, or nc
- Outbound network connections from the Coolify host to attacker-controlled infrastructure shortly after project creation events
- New or modified files in deployment working directories, SSH key stores, or cron locations on the Coolify host
- Project entries in Coolify with Git Repository values containing shell metacharacters (;, |, `, $(), &&)
Detection Strategies
- Audit Coolify application logs and database records for project creation events and inspect stored Git Repository fields for non-URL characters
- Monitor host process trees for git clone or git ls-remote invocations that spawn unexpected interactive shells or networking utilities
- Correlate authentication events from low-privilege Coolify members with subsequent process anomalies on the host
Monitoring Recommendations
- Enable verbose audit logging on the Coolify host and forward process, file, and network telemetry to a centralized analytics platform
- Alert on shell metacharacters appearing in deployment-related API requests to the Coolify backend
- Track egress traffic from Coolify hosts and flag connections to non-allowlisted destinations during deployment workflows
How to Mitigate CVE-2025-34161
Immediate Actions Required
- Upgrade Coolify to version v4.0.0-beta.420.7 or later as published in the Coolify v4.0.0-beta.420.7 Release
- Review existing team memberships and revoke member-level access for any account that does not require deployment privileges
- Rotate credentials, API tokens, and SSH keys stored within the Coolify instance if exploitation cannot be ruled out
- Inspect all existing projects for Git Repository values containing shell metacharacters and delete suspicious entries
Patch Information
Coollabs released the fix in Coolify v4.0.0-beta.420.7. Administrators should follow the standard Coolify upgrade procedure and verify the running version after deployment. Release notes and patch artifacts are available at the Coolify v4.0.0-beta.420.7 Release page. Additional product information is available on the Coolify Homepage.
Workarounds
- Restrict network access to the Coolify management interface using a reverse proxy, VPN, or IP allowlist until the patch is applied
- Suspend project creation permissions for non-administrative team members on unpatched instances
- Run the Coolify service under a dedicated, least-privilege system account with constrained Docker socket exposure
# Verify the installed Coolify version and upgrade to the patched release
docker exec coolify cat /var/www/html/config/version.php
# Pull the patched image and restart the stack
cd /data/coolify/source
git fetch --tags
git checkout v4.0.0-beta.420.7
docker compose pull
docker compose up -d
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

