Executive Summary

CVE-2025-64419 is a critical command injection vulnerability in Coolify versions prior to 4.0.0-beta.445. The issue occurs because parameters from the docker-compose.yaml file are not sanitized before being used in shell commands. An attacker can craft a malicious docker-compose.yaml in a repository, and if a victim user deploys an application from that repository using the "docker compose" build pack, the attacker can execute arbitrary commands on the Coolify host system with root privileges. This happens because the command execution function does not properly escape input, allowing injected commands to run on the host. The vulnerability enables attackers to run commands as root, potentially compromising the entire system. [2]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts including allowing attackers to execute arbitrary commands on the Coolify host system as root. This can lead to full system compromise, including unauthorized access to sensitive data, modification or deletion of files, disruption of services, and exfiltration of confidential information. The attack can be performed remotely without any privileges, requiring only that a victim deploys a malicious repository. The confidentiality, integrity, and availability of the affected system are all at high risk. [2]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by inspecting deployments that use the 'docker compose' build pack with untrusted or attacker-controlled docker-compose.yaml files. Specifically, look for suspicious volume source parameters that include shell command injections, such as backticks or command substitutions. Since the vulnerability involves command injection via unsanitized parameters in docker-compose.yaml, monitoring for unusual docker exec commands or unexpected network connections (e.g., curl commands to external servers) from the Coolify host may help detect exploitation attempts. There are no explicit detection commands provided, but you can audit the docker-compose.yaml files used in deployments for suspicious entries, and monitor running containers and host processes for unexpected commands executed as root. [2]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include upgrading Coolify to version 4.0.0-beta.445 or later, where the vulnerability is fixed by automatically injecting the '-f' and '--env-file' flags into Docker Compose commands to ensure proper sanitization and configuration. Until the upgrade, avoid deploying applications from untrusted or attacker-controlled repositories, especially those using the 'docker compose' build pack. Additionally, review and restrict user permissions to prevent untrusted users from deploying arbitrary applications. Monitoring and restricting network access to the Coolify instance can also reduce risk. [1, 2]

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows attackers to execute arbitrary commands as root on the Coolify host, potentially leading to unauthorized access, data exfiltration, and system compromise. Such impacts can result in violations of data protection and security requirements mandated by standards like GDPR and HIPAA, which require safeguarding confidentiality, integrity, and availability of sensitive data and systems. Therefore, exploitation of this vulnerability could lead to non-compliance with these regulations due to the risk of data breaches and unauthorized system control. [2]

Useful 0 Not Useful 0