CVE-2025-64424
Command Injection in Coolify Git Input Allows Root Execution
Publication date: 2026-01-05
Last updated on: 2026-01-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| coollabsio | coolify | to 4.0.0-beta.434 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-64424 is a critical command injection vulnerability in Coolify versions up to v4.0.0-beta.434. It occurs because user input in the git source repository URL fields is not properly sanitized, allowing a low-privileged user (member) to inject and execute arbitrary system commands as root on the Coolify instance. This happens through the function executeInDocker, which constructs shell commands by embedding user input directly, enabling remote command execution with root privileges. [1]
How can this vulnerability impact me? :
This vulnerability can lead to a full system compromise of the Coolify instance. An attacker with low privileges can execute arbitrary commands as root, potentially gaining complete control over the server, accessing sensitive data, disrupting services, or using the compromised system to attack other systems. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for suspicious git source URL inputs containing shell command delimiters or unusual payloads in Coolify's git source input fields. Since the vulnerability involves command injection via git repository URLs, inspecting these inputs for special characters or commands is key. Additionally, monitoring network traffic for unexpected outbound requests (e.g., curl commands to attacker-controlled domains) from the Coolify server may indicate exploitation attempts. Specific commands are not provided, but administrators can search logs or database entries for git URLs containing suspicious characters such as ';', '|', or '`'. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting or disabling the ability for low-privileged users (members) to input or modify git source URLs until a patch is available. Administrators should monitor and audit git source inputs for malicious payloads and consider isolating the Coolify instance from untrusted networks to reduce exposure. Since no patch is available at the time of reporting, applying strict input validation or sanitization manually, or limiting user privileges, can help reduce risk. [1]