Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-34161

CVE-2025-34161: Coollabs Coolify RCE Vulnerability

CVE-2025-34161 is a remote code execution flaw in Coollabs Coolify that lets low-privileged users inject shell commands via Git repository fields. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-34161 Overview

CVE-2025-34161 is a critical command injection vulnerability in Coolify, an open-source self-hosted PaaS platform developed by Coollabs. The flaw exists in the project deployment workflow of versions prior to v4.0.0-beta.420.7. Authenticated users with low-level member privileges can inject arbitrary shell commands through the Git Repository field during project creation. By submitting a crafted repository string containing shell metacharacters, attackers execute arbitrary commands on the underlying host. Successful exploitation results in full server compromise, including access to deployed applications, secrets, and adjacent infrastructure.

Critical Impact

Authenticated low-privilege users can achieve remote code execution on the Coolify host, leading to full server takeover and lateral movement across hosted projects.

Affected Products

  • Coollabs Coolify versions 4.0.0-beta.18 through 4.0.0-beta.420.6
  • All Coolify v4 beta releases prior to v4.0.0-beta.420.7
  • Self-hosted Coolify deployments exposing the project creation interface to authenticated members

Discovery Timeline

  • 2025-08-27 - CVE-2025-34161 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-34161

Vulnerability Analysis

The vulnerability is classified under [CWE-78] (OS Command Injection) and [CWE-20] (Improper Input Validation). Coolify accepts a Git repository string from authenticated members during project creation and passes it to underlying shell operations without sufficient sanitization. The platform invokes git commands against the user-supplied value as part of its deployment pipeline. When the input contains shell metacharacters such as backticks, semicolons, or $() constructs, the host shell interprets them as command separators. The injected commands execute under the Coolify service account, which typically runs Docker operations and holds privileged access to the host. Because Coolify orchestrates containers, network configuration, and credential stores, code execution at this layer compromises every project managed by the instance.

Root Cause

The root cause is the lack of input validation and shell-safe argument handling on the Git Repository field. Coolify treats the field as a trusted parameter and interpolates it into shell command strings rather than passing it as an isolated argument vector. Authorization checks limit the action to authenticated users, but member-level accounts are sufficient to reach the vulnerable code path.

Attack Vector

An attacker with member-tier credentials authenticates to the Coolify web interface and initiates project creation. In the Git Repository input, the attacker supplies a string that combines a legitimate-looking URL with appended shell syntax such as a command substitution sequence. When Coolify dispatches the deployment workflow, the shell expands the injected payload, executing attacker-controlled commands. The attack requires network access to the Coolify management interface and a valid low-privilege account. Public proof-of-concept material is referenced at GitHub CVE-2025-34161 PoC.

The vulnerability is exploited through the Git Repository field during project creation. An attacker submits a value that combines a benign repository path with shell metacharacters, and the unsanitized string is passed to the system shell when Coolify invokes git operations during deployment. See the GitHub CVE-2025-34161 PoC for technical details of the payload structure.

Detection Methods for CVE-2025-34161

Indicators of Compromise

  • Unexpected child processes spawned by the Coolify service or git binary, such as sh, bash, curl, wget, or nc
  • Outbound network connections from the Coolify host to attacker-controlled infrastructure shortly after project creation events
  • New or modified files in deployment working directories, SSH key stores, or cron locations on the Coolify host
  • Project entries in Coolify with Git Repository values containing shell metacharacters (;, |, `, $(), &&)

Detection Strategies

  • Audit Coolify application logs and database records for project creation events and inspect stored Git Repository fields for non-URL characters
  • Monitor host process trees for git clone or git ls-remote invocations that spawn unexpected interactive shells or networking utilities
  • Correlate authentication events from low-privilege Coolify members with subsequent process anomalies on the host

Monitoring Recommendations

  • Enable verbose audit logging on the Coolify host and forward process, file, and network telemetry to a centralized analytics platform
  • Alert on shell metacharacters appearing in deployment-related API requests to the Coolify backend
  • Track egress traffic from Coolify hosts and flag connections to non-allowlisted destinations during deployment workflows

How to Mitigate CVE-2025-34161

Immediate Actions Required

  • Upgrade Coolify to version v4.0.0-beta.420.7 or later as published in the Coolify v4.0.0-beta.420.7 Release
  • Review existing team memberships and revoke member-level access for any account that does not require deployment privileges
  • Rotate credentials, API tokens, and SSH keys stored within the Coolify instance if exploitation cannot be ruled out
  • Inspect all existing projects for Git Repository values containing shell metacharacters and delete suspicious entries

Patch Information

Coollabs released the fix in Coolify v4.0.0-beta.420.7. Administrators should follow the standard Coolify upgrade procedure and verify the running version after deployment. Release notes and patch artifacts are available at the Coolify v4.0.0-beta.420.7 Release page. Additional product information is available on the Coolify Homepage.

Workarounds

  • Restrict network access to the Coolify management interface using a reverse proxy, VPN, or IP allowlist until the patch is applied
  • Suspend project creation permissions for non-administrative team members on unpatched instances
  • Run the Coolify service under a dedicated, least-privilege system account with constrained Docker socket exposure
bash
# Verify the installed Coolify version and upgrade to the patched release
docker exec coolify cat /var/www/html/config/version.php

# Pull the patched image and restart the stack
cd /data/coolify/source
git fetch --tags
git checkout v4.0.0-beta.420.7
docker compose pull
docker compose up -d

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.