Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-64419

CVE-2025-64419: Coolify RCE Vulnerability

CVE-2025-64419 is a remote code execution flaw in Coolify that allows attackers to execute commands as root through unsanitized docker-compose.yaml parameters. This post covers technical details, affected versions, and mitigation.

Updated:

CVE-2025-64419 Overview

CVE-2025-64419 is a critical command injection vulnerability discovered in Coolify, an open-source and self-hostable tool for managing servers, applications, and databases. The vulnerability exists in versions prior to 4.0.0-beta.445 where parameters sourced from docker-compose.yaml files are not properly sanitized when used in shell commands. This allows an attacker to execute arbitrary commands on the Coolify instance with root privileges if a victim user creates an application from an attacker-controlled repository using the "docker compose" build pack.

Critical Impact

An attacker can achieve remote code execution as root on the Coolify server by crafting a malicious docker-compose.yaml file in a repository that a victim user imports, resulting in complete system compromise.

Affected Products

  • Coolify versions prior to 4.0.0-beta.445
  • Coolify deployments using the Docker Compose build pack
  • Self-hosted Coolify instances processing untrusted repositories

Discovery Timeline

  • January 5, 2026 - CVE-2025-64419 published to NVD
  • January 8, 2026 - Last updated in NVD database

Technical Details for CVE-2025-64419

Vulnerability Analysis

This vulnerability falls under CWE-77 (Command Injection), a class of security flaws where untrusted data is incorporated into commands executed by an interpreter. The attack requires user interaction—specifically, a victim must create an application from an attacker-controlled Git repository using Coolify's Docker Compose build pack. Once this action is taken, the attacker gains the ability to execute arbitrary commands with root-level privileges on the underlying Coolify server.

The exploitation scenario is particularly dangerous in multi-tenant environments or scenarios where users may import third-party repositories without thoroughly auditing their contents. The scope extends beyond the vulnerable component itself, potentially affecting the confidentiality, integrity, and availability of the entire host system and any other applications managed by the Coolify instance.

Root Cause

The root cause of CVE-2025-64419 lies in the improper handling of user-supplied Docker Compose commands. When processing custom Docker Compose build and start commands, the application failed to properly sanitize or validate parameters extracted from the docker-compose.yaml file before incorporating them into shell commands. This lack of input sanitization allowed malicious content embedded in the compose file to be executed directly by the system shell.

Attack Vector

The attack vector is network-based and requires user interaction. An attacker must:

  1. Create a malicious Git repository containing a crafted docker-compose.yaml file
  2. Convince a victim Coolify user to import this repository using the Docker Compose build pack
  3. When the victim creates the application, the malicious parameters from the compose file are passed unsanitized to shell commands
  4. The injected commands execute with root privileges on the Coolify server

The following code shows part of the security patch implementing the injectDockerComposeFlags function that sanitizes Docker Compose commands:

php
/**
 * Auto-inject -f and --env-file flags into a docker compose command if not already present
 *
 * @param  string  $command  The docker compose command to modify
 * @param  string  $composeFilePath  The path to the compose file
 * @param  string  $envFilePath  The path to the .env file
 * @return string The modified command with injected flags
 */
function injectDockerComposeFlags(string $command, string $composeFilePath, string $envFilePath): string
{
    $dockerComposeReplacement = 'docker compose';

    // Add -f flag if not present (checks for both -f and --file with various formats)
    // Detects: -f path, -f=path, -fpath (concatenated), --file path, --file=path with any whitespace (space, tab, newline)
    if (! preg_match('/(?:^|\s)(?:-f(?:[=\s]|\S)|--file(?:=|\s))/', $command)) {
        $dockerComposeReplacement .= " -f {$composeFilePath}";
    }

    // Add --env-file flag if not present (checks for --env-file with various formats)
    // Detects: --env-file path, --env-file=path with any whitespace
    if (! preg_match('/(?:^|\s)--env-file(?:=|\s)/', $command)) {
        $dockerComposeReplacement .= " --env-file {$envFilePath}";
    }

    // Replace only first occurrence to avoid modifying comments/strings/chained commands
    return preg_replace('/docker\s+compose/', $dockerComposeReplacement, $command, 1);
}

Source: GitHub Commit f86ccfaa9af572a5487da8ea46b0a125a4854cf6

Detection Methods for CVE-2025-64419

Indicators of Compromise

  • Unexpected process execution on Coolify servers, particularly commands spawned from PHP worker processes
  • Suspicious activity in Docker Compose deployment logs showing malformed or unusual command patterns
  • Newly created applications from external or unrecognized Git repositories
  • Evidence of privilege escalation or unauthorized root-level access on the host system
  • Anomalous outbound network connections from the Coolify server

Detection Strategies

  • Monitor system logs for unexpected command execution patterns originating from Coolify processes
  • Implement file integrity monitoring on critical Coolify configuration files and binaries
  • Review Git repository imports and flag applications created from untrusted external sources
  • Deploy endpoint detection and response (EDR) solutions to identify command injection patterns
  • Audit Docker Compose files for suspicious or obfuscated content before deployment

Monitoring Recommendations

  • Enable verbose logging for Coolify application deployments and Docker Compose operations
  • Set up alerts for root-level command execution outside normal Coolify operational patterns
  • Monitor for creation of new user accounts or SSH keys on the host system
  • Track network connections from the Coolify server to identify potential command-and-control traffic
  • Implement behavior-based detection for anomalous process trees spawned by web application processes

How to Mitigate CVE-2025-64419

Immediate Actions Required

  • Upgrade Coolify to version 4.0.0-beta.445 or later immediately
  • Audit all recently imported repositories and applications created using the Docker Compose build pack
  • Review server logs for any indicators of exploitation or unauthorized command execution
  • Restrict access to Coolify administration interfaces to trusted users only
  • Consider isolating Coolify instances in network segments with limited access to sensitive resources

Patch Information

The vulnerability has been addressed in Coolify version 4.0.0-beta.445. The fix implements proper sanitization of Docker Compose commands through the injectDockerComposeFlags function, which validates and controls the flags passed to Docker Compose operations. Users should upgrade immediately by pulling the latest version from the official Coolify repository. For detailed technical information about the fix, refer to the GitHub Commit and the GitHub Security Advisory GHSA-234r-xrrg-m8f3.

Workarounds

  • Disable or restrict the Docker Compose build pack until the patch can be applied
  • Implement strict repository allowlisting to prevent imports from untrusted sources
  • Require manual review and approval of all docker-compose.yaml files before application creation
  • Run Coolify in a containerized environment with limited host access to reduce impact of potential exploitation
  • Enforce the principle of least privilege for Coolify service accounts
bash
# Verify your Coolify version and upgrade if necessary
cd /path/to/coolify
git fetch --tags
git describe --tags
# Upgrade to patched version
git checkout v4.0.0-beta.445
# Restart Coolify services
docker compose down && docker compose up -d

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.