CVE-2025-22605

HighPublic PoC

Published: 24 January 2025

Published

24 January 2025

Modified

19 September 2025

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0022 45.0th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Starting in version 4.0.0-beta.18 and prior to 4.0.0-beta.253, a vulnerability in the execution of commands on remote servers allows an authenticated user to execute arbitrary code on the local Coolify container, gaining access to data and private keys or tokens of other users/teams. The ability to inject malicious commands into the Coolify container gives authenticated attackers the ability to fully retrieve and control the data and availability of the software. Centrally hosted Coolify instances (open registration and/or multiple teams with potentially untrustworthy users) are especially at risk, as sensitive data of all users and connected servers can be leaked by any user. Additionally, attackers are able to modify the running software, potentially deploying malicious images to remote nodes or generally changing its behavior. Version 4.0.0-beta.253 patches this issue.

Security Summary

CVE-2025-22605 is an OS command injection vulnerability (CWE-78) in Coolify, an open-source self-hostable tool for managing servers, applications, and databases. The flaw resides in the execution of commands on remote servers, specifically within the `bootstrap/helpers/remoteProcess.php` component at line 70. It affects Coolify versions starting from 4.0.0-beta.18 up to but not including 4.0.0-beta.253. The vulnerability has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high confidentiality, integrity, and availability impacts with low attack complexity and requiring local access and low privileges.

An authenticated user with local access to the Coolify instance can exploit this vulnerability to execute arbitrary code on the local Coolify container. This grants attackers access to sensitive data, private keys, and tokens belonging to other users or teams, as well as full control over the software's data and availability. In multi-tenant or centrally hosted Coolify setups with open registration or untrustworthy users, the risk is amplified, as any user could leak data from all users and connected servers. Attackers can also modify the running software, deploy malicious images to remote nodes, or alter its overall behavior.

The vulnerability is patched in Coolify version 4.0.0-beta.253, as detailed in the project's GitHub security advisory (GHSA-9wqm-fg79-4748), the fixing commit (353245bb7de9680f238bae30443af1696bc977b0), and related pull requests (#1524 and #1625). Security practitioners should update to the patched version immediately, particularly for instances hosting multiple teams or enabling open registration, and review access controls to limit authenticated users with local access.

Details

CWE(s): CWE-78

Affected Products

coollabs

coolify

4.0.0

References

https://github.com/coollabsio/coolify/blob/40a239ddda3fc919f57a052d7b52b8e1a6696b81/bootstrap/helpers/remoteProcess.php#L70
Product · security-advisories@github.com
https://github.com/coollabsio/coolify/commit/353245bb7de9680f238bae30443af1696bc977b0
Patch · security-advisories@github.com
https://github.com/coollabsio/coolify/pull/1524
Issue Tracking, Patch · security-advisories@github.com
https://github.com/coollabsio/coolify/pull/1625
Issue Tracking · security-advisories@github.com
https://github.com/coollabsio/coolify/security/advisories/GHSA-9wqm-fg79-4748
Exploit, Vendor Advisory · security-advisories@github.com