CVE-2025-22606

CVE-2025-22606 is a command injection vulnerability (CWE-78) in Coolify, an open-source, self-hostable tool for managing servers, applications, and databases. It affects version 4.0.0-beta.358 and possibly earlier versions. The flaw occurs when creating or updating a "project," where attackers can inject arbitrary shell commands by manipulating the project name with unescaped characters such as single quotes ('), which break out of the intended command structure and enable execution on the host system. The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H).

Attackers with local access and low privileges, such as those able to use project management features, can exploit this issue without user interaction. Successful exploitation allows arbitrary command execution on the host server, potentially leading to full system compromise, creation, modification, or deletion of sensitive files, and privilege escalation based on the permissions of the executed process.

The GitHub security advisory (GHSA-ccp8-v65g-m526) confirms that version 4.0.0-beta.359 addresses the issue by fixing the command injection in project name handling. Security practitioners should update to this patched version and review access controls for project management features.