Arbitrary Command Injection in Coolify Server Management Tool
CVE-2025-22606
8.5HIGH
Key Information:
- Vendor
- Coollabsio
- Status
- Coolify
- Vendor
- CVE Published:
- 24 January 2025
Summary
Coolify, an open-source server management tool, is vulnerable to arbitrary command injection due to improper handling of project names. When users create or update a project, unescaped characters in the project name can disrupt the intended command structure, allowing attackers to execute arbitrary shell commands on the host system. This exposure can lead to severe consequences, such as unauthorized access, modification, or deletion of critical system files, and privilege escalation based on the permissions of the executed processes. Users are urged to upgrade to version 4.0.0-beta.359 to mitigate the risks associated with this vulnerability.
Affected Version(s)
coolify < 4.0.0-beta.359
References
CVSS V4
Score:
8.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None
Timeline
Vulnerability published
Vulnerability Reserved