CVE-2025-59156
Unknown Unknown - Not Provided
Remote Code Execution in Coolify via Docker Compose Injection

Publication date: 2026-01-05

Last updated on: 2026-01-05

Assigner: GitHub, Inc.

Description
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.420.7, a Remote Code Execution (RCE)*vulnerability exists in Coolify's application deployment workflow. This flaw allows a low-privileged member to inject arbitrary Docker Compose directives during project creation or updates. By defining a malicious service that mounts the host filesystem, an attacker can achieve root-level command execution on the host OS, completely bypassing container isolation. Version 4.0.0-beta.420.7 contains a patch for the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-05
Last Modified
2026-01-05
Generated
2026-06-16
AI Q&A
2026-01-05
EPSS Evaluated
2026-06-15
NVD
CVE-2025-59156
EUVD
EUVD-2025-206241
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
coollabsio coolify to 4.0.0-beta.420.7 (exc)
coollabsio coolify 4.0.0-beta.420.7
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-59156 is a critical Remote Code Execution (RCE) vulnerability in Coolify, an open-source tool for managing servers and applications. The flaw exists in the project deployment workflow where a low-privileged user can inject malicious Docker Compose directives during project creation or updates. By defining a service that mounts the host filesystem, the attacker can execute commands with root privileges on the host OS, bypassing container isolation. This allows full control over the host system. [1]

Impact Analysis

This vulnerability can lead to complete host system compromise. An attacker with low privileges can execute arbitrary commands as root on the host, read and write system files, establish persistence, move laterally within the environment, and bypass UI terminal access restrictions. It can also compromise other users and teams on the same Coolify instance, leading to severe security breaches. [1]

Detection Guidance

Detection involves auditing Coolify project deployments for malicious Docker Compose configurations that mount the host filesystem or execute arbitrary commands. One can look for Docker Compose files with suspicious volume mounts such as mounting '/' from the host. For example, searching for Docker Compose files containing host root mounts or unusual volume directives. Commands to help detect this include: 1) Searching for suspicious mounts in Docker Compose files: `grep -r ':/ ' /path/to/coolify/projects` or `grep -r 'hostPath' /path/to/coolify/projects` 2) Checking for unexpected files created on the host filesystem, e.g., `ls -l /tmp/proof_rce.txt` 3) Monitoring container creation logs for unusual volume mounts or service definitions. Since exploitation requires injecting Docker Compose directives, reviewing project creation and update logs for unauthorized changes is also recommended. [1]

Mitigation Strategies

The immediate mitigation step is to upgrade Coolify to version 4.0.0-beta.420.7 or later, which contains the patch for this vulnerability. Additionally, audit existing projects for malicious Docker Compose configurations that may mount the host filesystem or execute arbitrary commands. Restrict member-level permissions to trusted users and monitor project deployment workflows closely. Avoid running vulnerable versions in production environments until patched. [1]

Compliance Impact

This vulnerability allows an attacker to achieve root-level command execution on the host OS, leading to complete host compromise, including reading and writing system files, establishing persistence, and lateral movement. Such a compromise can result in unauthorized access to sensitive data and systems, potentially violating data protection requirements under standards like GDPR and HIPAA. Therefore, organizations using vulnerable versions of Coolify may face compliance risks due to the possibility of data breaches and loss of system integrity. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-59156. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart