CVE-2025-59156
Remote Code Execution in Coolify via Docker Compose Injection
Publication date: 2026-01-05
Last updated on: 2026-01-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| coollabsio | coolify | to 4.0.0-beta.420.7 (exc) |
| coollabsio | coolify | 4.0.0-beta.420.7 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-59156 is a critical Remote Code Execution (RCE) vulnerability in Coolify, an open-source tool for managing servers and applications. The flaw exists in the project deployment workflow where a low-privileged user can inject malicious Docker Compose directives during project creation or updates. By defining a service that mounts the host filesystem, the attacker can execute commands with root privileges on the host OS, bypassing container isolation. This allows full control over the host system. [1]
How can this vulnerability impact me? :
This vulnerability can lead to complete host system compromise. An attacker with low privileges can execute arbitrary commands as root on the host, read and write system files, establish persistence, move laterally within the environment, and bypass UI terminal access restrictions. It can also compromise other users and teams on the same Coolify instance, leading to severe security breaches. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves auditing Coolify project deployments for malicious Docker Compose configurations that mount the host filesystem or execute arbitrary commands. One can look for Docker Compose files with suspicious volume mounts such as mounting '/' from the host. For example, searching for Docker Compose files containing host root mounts or unusual volume directives. Commands to help detect this include: 1) Searching for suspicious mounts in Docker Compose files: `grep -r ':/ ' /path/to/coolify/projects` or `grep -r 'hostPath' /path/to/coolify/projects` 2) Checking for unexpected files created on the host filesystem, e.g., `ls -l /tmp/proof_rce.txt` 3) Monitoring container creation logs for unusual volume mounts or service definitions. Since exploitation requires injecting Docker Compose directives, reviewing project creation and update logs for unauthorized changes is also recommended. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Coolify to version 4.0.0-beta.420.7 or later, which contains the patch for this vulnerability. Additionally, audit existing projects for malicious Docker Compose configurations that may mount the host filesystem or execute arbitrary commands. Restrict member-level permissions to trusted users and monitor project deployment workflows closely. Avoid running vulnerable versions in production environments until patched. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an attacker to achieve root-level command execution on the host OS, leading to complete host compromise, including reading and writing system files, establishing persistence, and lateral movement. Such a compromise can result in unauthorized access to sensitive data and systems, potentially violating data protection requirements under standards like GDPR and HIPAA. Therefore, organizations using vulnerable versions of Coolify may face compliance risks due to the possibility of data breaches and loss of system integrity. [1]