CVE-2025-59158
Stored XSS in Coolify Project Creation Allows Admin Browser Exploit
Publication date: 2026-01-05
Last updated on: 2026-01-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| coollabsio | coolify | to 4.0.0-beta.420.6 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-116 | The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-59158 is a critical stored Cross-Site Scripting (XSS) vulnerability in Coolify versions up to and including v4.0.0-beta.420.6. An authenticated user with low privileges can create a project with a maliciously crafted name containing embedded JavaScript. When an administrator later tries to delete this project or its resources, the malicious script executes in the administrator's browser, allowing the attacker to escalate privileges and potentially take full administrative control of the Coolify instance. [1]
How can this vulnerability impact me? :
This vulnerability can lead to privilege escalation from a low-privileged user to full administrative control over the Coolify instance. Exploitation can result in theft of API tokens and session cookies, unauthorized access to WebSocket-based terminal sessions on managed servers, abuse of project management features with admin privileges, and potential persistence and further privilege escalation when combined with other vulnerabilities. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves checking if your Coolify instance is running a vulnerable version (up to and including v4.0.0-beta.420.6) and inspecting project names for maliciously crafted JavaScript payloads. A proof of concept payload example is `<details x=xxxxxxxxxxxxxxxxxx:2 open ontoggle="prompt('PoC');">`. You can log in as a low-privileged user and list project names to identify suspicious entries. There are no specific commands provided, but manual inspection of project metadata and monitoring administrator actions that trigger project deletions can help detect exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading Coolify to version v4.0.0-beta.420.7 or later, which contains the patch for this vulnerability. Additionally, sanitize and HTML-encode all user inputs, especially project names, restrict special characters in project metadata, and apply Content Security Policy (CSP) headers to reduce the impact of any potential XSS attacks. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.