CVE-2025-59157 Overview
CVE-2025-59157 is a critical command injection vulnerability affecting Coolify, an open-source and self-hostable tool for managing servers, applications, and databases. The vulnerability exists in the Git Repository field during project creation, where user input is not properly sanitized. This allows attackers to inject arbitrary shell commands that execute on the underlying server during the deployment workflow. The vulnerability is particularly concerning because even regular member users with limited privileges can exploit it to achieve full server compromise.
Critical Impact
Authenticated users with minimal privileges can execute arbitrary commands on the underlying server, potentially leading to complete system compromise, data theft, and lateral movement within the infrastructure.
Affected Products
- Coolify versions prior to 4.0.0-beta.420.7
Discovery Timeline
- January 5, 2026 - CVE-2025-59157 published to NVD
- January 8, 2026 - Last updated in NVD database
Technical Details for CVE-2025-59157
Vulnerability Analysis
This command injection vulnerability (CWE-78) allows authenticated attackers to inject malicious shell commands through the Git Repository field when creating new projects in Coolify. The application fails to properly validate and sanitize user-supplied input before incorporating it into shell commands executed during the deployment workflow. Since the injected commands run with the privileges of the Coolify service, successful exploitation can result in complete server takeover, unauthorized access to sensitive data, modification of deployed applications, and potential pivot points for attacking other systems in the network.
Root Cause
The root cause of this vulnerability is improper input validation in the Git Repository field handling logic. When users create projects and specify a Git repository URL, the application passes this input directly to shell commands without adequate sanitization or escaping. This allows special shell characters and command separators to be interpreted by the underlying shell, enabling command injection attacks. The vulnerability is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command).
Attack Vector
The attack is network-accessible and requires only low-privilege authentication (a regular member account). An attacker can craft a malicious Git repository URL containing shell metacharacters such as semicolons (;), backticks, or command substitution syntax ($(command)). When the deployment workflow processes this malicious input, the injected commands are executed on the server with the same privileges as the Coolify application. This allows attackers to read sensitive files, establish reverse shells, install backdoors, or pivot to other systems on the network.
The vulnerability can be exploited by crafting a specially formatted Git repository URL that includes shell command injection payloads. When a user with member privileges creates a project using this malicious repository URL, the Coolify deployment process executes the injected commands on the underlying server. See the GitHub Security Advisory for additional technical details.
Detection Methods for CVE-2025-59157
Indicators of Compromise
- Unusual shell commands or processes spawned by the Coolify application service
- Unexpected network connections originating from the Coolify server
- Modified or newly created files in system directories outside of normal Coolify operations
- Suspicious entries in Coolify deployment logs containing shell metacharacters or command sequences
Detection Strategies
- Monitor Coolify application logs for Git repository URLs containing shell metacharacters such as ;, |, &&, backticks, or $() patterns
- Implement process monitoring to detect unexpected child processes spawned by the Coolify service
- Deploy network monitoring to identify anomalous outbound connections from the Coolify server
- Review audit logs for project creation activities with unusual repository URL patterns
Monitoring Recommendations
- Enable comprehensive logging for all project creation and deployment activities in Coolify
- Configure SIEM rules to alert on suspicious command patterns in application logs
- Implement file integrity monitoring on critical system files and Coolify installation directories
- Monitor for privilege escalation attempts or unusual user activity following project creation events
How to Mitigate CVE-2025-59157
Immediate Actions Required
- Upgrade Coolify to version 4.0.0-beta.420.7 or later immediately
- Audit existing projects for any suspicious Git repository URLs that may contain malicious payloads
- Review server logs and process history for signs of exploitation
- Restrict network access to the Coolify management interface to trusted networks only
Patch Information
The vulnerability has been addressed in Coolify version 4.0.0-beta.420.7. Organizations should upgrade to this version or later as soon as possible. The patch implements proper input sanitization for the Git Repository field, preventing shell metacharacters from being interpreted as commands. For more details, refer to the GitHub Security Advisory.
Workarounds
- Restrict project creation privileges to only highly trusted administrators until the patch can be applied
- Implement network segmentation to limit the potential impact of server compromise
- Deploy web application firewall (WAF) rules to filter requests containing shell metacharacters in the Git repository field
- Monitor and audit all project creation activities for suspicious patterns
# Verify Coolify version after upgrade
coolify version
# Expected output should show 4.0.0-beta.420.7 or higher
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
