Critical Vulnerability Information Vulnerability Overview CVE ID: CVE-2025-34159 Affected Versions: Coolify ≤ v4.0.0-beta.420.6 Fixed Version: v4.0.0-beta.420.7 Severity: Critical CVSS 4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/SC:H/V:V1/H:VA/R:BC/I:R/SI:H/SA:H CWE: CWE-78 (OS Command Injection), CWE-20 (Improper Input Validation) Executive Summary Vulnerability Description: A critical Remote Code Execution (RCE) vulnerability exists in Coolify’s application deployment workflow. This flaw allows low-privileged members to inject arbitrary Docker Compose commands during project creation or updates. By defining a malicious service that mounts the host filesystem, attackers can execute commands with root privileges on the host operating system, completely bypassing container isolation. Security Impact Arbitrary Command Execution: Execution of arbitrary commands on the host system with root privileges. Full Host Compromise: Capabilities include reading/writing system files, establishing persistence, and performing lateral movement. Multi-tenant Security Breach: Potential to compromise the security of other users and teams sharing the same instance. Bypass of Security Controls: Renders UT terminal access restrictions (403 controls) ineffective. Technical Details Affected Versions: - Vulnerable: Coolify ≤ v4.0.0-beta.420.6 - Patched: v4.0.0-beta.420.7 Attack Vector: The vulnerability resides in the project deployment workflow, where user-provided Docker Compose configurations are processed without sufficient validation or sandboxing. Proof of Concept PoC 1: Host root mount and command execution PoC 2: Writing to host path Reproduction Steps 1. Log in as a member-level user (non-admin) 2. Create or edit a project in Coolify 3. Provide a malicious configuration using one of the Docker Compose payloads above 4. Deploy the project 5. Verify exploitation by checking host-side artifacts (e.g., /tmp/proof_rce.txt) or examining command output in deployment logs Immediate Actions 1. Immediately upgrade to Coolify v4.0.0-beta.420.7 or later 2. Review existing projects for potentially malicious Docker Compose configurations References Patch/Release Notes: https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.420.7 Advisory/PoC Repository: https://github.com/Eyodav/CVE-2025-34159