Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-59158

CVE-2025-59158: Coollabs Coolify XSS Vulnerability

CVE-2025-59158 is a stored cross-site scripting flaw in Coollabs Coolify that enables low-privilege users to inject malicious JavaScript into project names. This post covers technical details, affected versions, and mitigation.

Updated:

CVE-2025-59158 Overview

CVE-2025-59158 is a stored cross-site scripting (XSS) vulnerability in Coolify, an open-source self-hostable platform for managing servers, applications, and databases. The flaw affects all versions up to and including v4.0.0-beta.420.6. An authenticated low-privilege user, such as a member-role account, can create a project with a name containing embedded JavaScript. The payload remains stored until an administrator interacts with the project, at which point it executes in the admin's browser context. The maintainer released version v4.0.0-beta.420.7 to remediate the issue. The vulnerability is tracked under [CWE-79] (Cross-site Scripting) and [CWE-116] (Improper Encoding or Escaping of Output).

Critical Impact

A member-role user can hijack administrator sessions, escalate privileges, and gain full control over managed servers, applications, and databases when an admin deletes the malicious project.

Affected Products

  • Coolify 4.0.0-beta.18 through 4.0.0-beta.420.6
  • All Coolify v4 beta releases prior to the patched version
  • Self-hosted Coolify instances managed by Coollabs

Discovery Timeline

  • 2026-01-05 - CVE-2025-59158 published to NVD
  • 2026-01-12 - Last updated in NVD database

Technical Details for CVE-2025-59158

Vulnerability Analysis

The vulnerability resides in the project creation workflow of Coolify. The application accepts user-supplied project names without applying sufficient output encoding when those names are later rendered in administrative views. An attacker authenticated as a member-role user creates a new project whose name contains an HTML or JavaScript payload. The payload is persisted in the application database alongside the project record.

When an administrator later navigates to the project's delete confirmation view, or interacts with the project's associated resources, the unescaped name is rendered into the DOM. The browser parses the embedded script and executes it under the administrator's session context. This converts a low-privilege account into an effective administrator through targeted social interaction with the platform.

Because Coolify manages servers, deployments, environment secrets, and database credentials, script execution in an admin session translates directly into infrastructure compromise. The attacker can issue authenticated API calls to add SSH keys, exfiltrate environment variables, deploy malicious containers, or pivot to managed hosts.

Root Cause

The root cause is improper output encoding ([CWE-116]) of user-controlled fields rendered in privileged UI views. Input validation on project names is insufficient to block markup, and the rendering layer does not contextually escape the value before insertion into HTML templates.

Attack Vector

Exploitation requires only network access to the Coolify web interface and a low-privilege authenticated account. The attacker creates a project with a malicious name and waits for an administrator to view or delete it. The trigger is administrator interaction, which makes the vector dependent on user action but highly likely in normal cleanup workflows.

The vulnerability mechanism is described in the GitHub Security Advisory GHSA-h52r-jxv9-9vhf.

Detection Methods for CVE-2025-59158

Indicators of Compromise

  • Project records in the Coolify database containing HTML tags, <script>, javascript:, or event handler strings such as onerror= or onload= in the name field.
  • Unexpected outbound HTTP requests from administrator browser sessions to attacker-controlled domains following project administration activity.
  • Creation of new SSH keys, API tokens, or admin accounts immediately after an administrator viewed a project deletion confirmation page.
  • Audit log entries showing privileged actions originating from administrator sessions within seconds of a member-role project creation.

Detection Strategies

  • Query the Coolify project table for entries where the name column contains angle brackets, quotes, or scripting keywords, and flag accounts that created those records.
  • Inspect web server access logs for POST requests to project creation endpoints followed by administrator GET requests to delete or detail pages on the same resource.
  • Monitor for Content Security Policy (CSP) violations reported by administrator browsers when interacting with Coolify, which can indicate injected payloads.

Monitoring Recommendations

  • Forward Coolify application logs and reverse proxy logs to a centralized log platform and alert on suspicious name fields in project mutation events.
  • Track administrator session activity for anomalous API calls that originate immediately after viewing user-generated content.
  • Review role assignments and enumerate all non-admin accounts that have created or modified projects since the deployment of any affected beta version.

How to Mitigate CVE-2025-59158

Immediate Actions Required

  • Upgrade Coolify to version 4.0.0-beta.420.7 or later on every self-hosted instance.
  • Audit existing projects for malicious names and remove or rename any entries containing HTML or scripting syntax before the next administrator interaction.
  • Review member-role accounts and revoke access for any user that should not retain project creation privileges.
  • Rotate administrator credentials, API tokens, and SSH keys managed by Coolify if exploitation is suspected.

Patch Information

Coollabs released the fix in Coolify v4.0.0-beta.420.7. The patched release addresses the improper output encoding in the project creation and deletion views. Refer to the Coolify GHSA-h52r-jxv9-9vhf advisory for release notes and upgrade guidance.

Workarounds

  • Restrict project creation to trusted administrator accounts until the patch is applied by removing the member role from untrusted users.
  • Place Coolify behind a web application firewall that blocks request bodies containing HTML or scripting syntax in project name parameters.
  • Enforce a strict Content Security Policy on the Coolify domain to limit inline script execution in administrative sessions.
bash
# Configuration example: upgrade self-hosted Coolify to the patched release
curl -fsSL https://cdn.coollabs.io/coolify/install.sh | bash -s -- --version v4.0.0-beta.420.7

# Verify the running version after upgrade
docker exec coolify php artisan about | grep -i version

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.