CVE-2025-64424
Unknown Unknown - Not Provided
Command Injection in Coolify Git Input Allows Root Execution

Publication date: 2026-01-05

Last updated on: 2026-01-05

Assigner: GitHub, Inc.

Description
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions up to and including v4.0.0-beta.434, a command injection vulnerability exists in the git source input fields of a resource, allowing a low privileged user (member) to execute system commands as root on the Coolify instance. As of time of publication, it is unclear if a patch is available.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-05
Last Modified
2026-01-05
Generated
2026-06-16
AI Q&A
2026-01-05
EPSS Evaluated
2026-06-15
NVD
CVE-2025-64424
EUVD
EUVD-2025-206232
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
coollabsio coolify to 4.0.0-beta.434 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-64424 is a critical command injection vulnerability in Coolify versions up to v4.0.0-beta.434. It occurs because user input in the git source repository URL fields is not properly sanitized, allowing a low-privileged user (member) to inject and execute arbitrary system commands as root on the Coolify instance. This happens through the function executeInDocker, which constructs shell commands by embedding user input directly, enabling remote command execution with root privileges. [1]

Impact Analysis

This vulnerability can lead to a full system compromise of the Coolify instance. An attacker with low privileges can execute arbitrary commands as root, potentially gaining complete control over the server, accessing sensitive data, disrupting services, or using the compromised system to attack other systems. [1]

Detection Guidance

This vulnerability can be detected by monitoring for suspicious git source URL inputs containing shell command delimiters or unusual payloads in Coolify's git source input fields. Since the vulnerability involves command injection via git repository URLs, inspecting these inputs for special characters or commands is key. Additionally, monitoring network traffic for unexpected outbound requests (e.g., curl commands to attacker-controlled domains) from the Coolify server may indicate exploitation attempts. Specific commands are not provided, but administrators can search logs or database entries for git URLs containing suspicious characters such as ';', '|', or '`'. [1]

Mitigation Strategies

Immediate mitigation steps include restricting or disabling the ability for low-privileged users (members) to input or modify git source URLs until a patch is available. Administrators should monitor and audit git source inputs for malicious payloads and consider isolating the Coolify instance from untrusted networks to reduce exposure. Since no patch is available at the time of reporting, applying strict input validation or sanitization manually, or limiting user privileges, can help reduce risk. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-64424. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart