Command Injection Vulnerability in Coolify by Coollabs
CVE-2025-64419

9.7CRITICAL

Key Information:

Vendor: Coollabsio
Status: Coolify
Vendor: CVE Published:; 5 January 2026

🔔 Create Coollabsio Vulnerability Alert

Badges

👾 Exploit Exists📰 News Worthy

What is CVE-2025-64419?

A command injection vulnerability exists in Coolify, an open-source tool for managing servers and applications, impacting versions before 4.0.0-beta.445. This flaw arises from the lack of parameter sanitization derived from the 'docker-compose.yaml' file during command execution. An attacker can exploit this weakness if a victim user inadvertently creates an application using a malicious repository with the build pack 'docker compose'. This could result in arbitrary command execution on the affected Coolify instance with root privileges.

Affected Version(s)

coolify < 4.0.0-beta.445

News Articles

CVE-2025-64419 CVE-2025-64420

Coolify Self-Hosting Platform Vulnerabilities Allow Attackers to Execute Arbitrary System Commands

The vulnerabilities pose severe risks to organizations deploying Coolify instances, particularly those exposed to the internet.

thmubnail image

References

https://github.com/coollabsio/coolify/security/advisories...

x_refsource_CONFIRM

https://github.com/coollabsio/coolify/commit/f86ccfaa9af5...

x_refsource_MISC

CVSS V3.1

Score:

9.7

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

👾
Exploit known to exist
Jan 7, 2026
📰
First article discovered by Cyber Press
Jan 7, 2026
Vulnerability published
Jan 5, 2026
Vulnerability Reserved
Nov 3, 2025

CVE-2025-64419 Data

.