Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-34157 PoC — Coolify Stored Cross-Site Scripting (XSS) in Project Name Field

Source
https://github.com/Eyodav/CVE-2025-34157
Associated Vulnerability
Title:Coolify Stored Cross-Site Scripting (XSS) in Project Name Field (CVE-2025-34157)
Description:Coolify versions prior to v4.0.0-beta.420.6 are vulnerable to a stored cross-site scripting (XSS) attack in the project creation workflow. An authenticated user with low privileges can create a project with a maliciously crafted name containing embedded JavaScript. When an administrator attempts to delete the project or its associated resource, the payload executes in the admin’s browser context. This results in full compromise of the Coolify instance, including theft of API tokens, session cookies, and access to WebSocket-based terminal sessions on managed servers.
Description
A stored XSS in the project delete flow allows execution of attacker-controlled JavaScript in an administrator’s browser when the admin attempts to delete a project created by a low-privileged user. This can lead to takeover of the Coolify instance (cookies, API tokens, WebSocket/terminal actions)
Readme
# Stored XSS in Coolify delete flow (CVE-2025-34157)
 
> **Affects:** Coolify ≤ **v4.0.0-beta.420.6**  
> **Fixed in:** **v4.0.0-beta.420.7**  
> **Severity:** **Critical (9.4)**  
> **CVSS 4.0 Vector:** `CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H`  
> **CWE:** CWE-79 (Cross-Site Scripting), CWE-20 (Improper Input Validation)




## Summary
A stored XSS in the project delete flow allows execution of attacker-controlled JavaScript in an administrator’s browser when the admin attempts to delete a project created by a low-privileged user. This can lead to takeover of the Coolify instance (cookies, API tokens, WebSocket/terminal actions).

- **Attack Vector:** Remote (any authenticated user, incl. member)
- **Privileges Required:** Low
- **User Interaction:** Admin interaction (delete action)
- **Impact:** Account/session takeover, project/resource/terminal access

## Affected versions
- All versions **prior to and including** `v4.0.0-beta.420.6`.

## Proof of Concept (PoC)
Steps and payloads are in [`/POC`](./POC).
File Snapshot

 [4.0K]  /data/pocs/dc6c2198fc05abefacd880052d64f163f50fc021
├── [4.0K]  POC
│   ├── [4.9K]  Payloads HTMLi
│   ├── [ 461]  Payloads XSS
│   └── [1.6K]  ReadMe.md
└── [1.0K]  README.md

1 directory, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →