Stored Cross-Site Scripting Vulnerability in Coolify by Cool Labs
CVE-2025-34157

9.4CRITICAL

Key Information:

Vendor

Coollabs Technologies

Status
Coolify
Vendor
CVE Published:
27 August 2025

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2025-34157?

Coolify versions before v4.0.0-beta.420.6 are susceptible to a stored cross-site scripting (XSS) vulnerability in the project creation process. This flaw enables an authenticated user with minimal privileges to create a project with a malicious name containing embedded JavaScript. When an administrator attempts to remove the project or its corresponding resources, the injected script executes within the admin's browser, potentially leading to a complete compromise of the Coolify instance. This could allow attackers to seize API tokens, session cookies, and access WebSocket-based terminal sessions on servers managed by the application.

Affected Version(s)

Coolify * < 4.0.0.-beta.420.7

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-34157
Created by Eyodav

References

https://github.com/coollabsio/coolify/releases/tag/v4.0.0...
vendor-advisorypatch
https://coolify.io/
product
https://github.com/Eyodav/CVE-2025-34157
technical-descriptionexploit

CVSS V4

Score:
9.4
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Mike G.A (Eyodav)
.
CVE-2025-34157 : Stored Cross-Site Scripting Vulnerability in Coolify by Cool Labs