CVE-2025-59157

CVE-2025-59157 is a command injection vulnerability (CWE-78) in Coolify, an open-source and self-hostable tool for managing servers, applications, and databases. The issue affects versions prior to 4.0.0-beta.420.7, specifically in the Git Repository field during project creation. User input in this field is not properly sanitized, enabling the injection of arbitrary shell commands that execute on the underlying server as part of the deployment workflow. The vulnerability has a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low complexity, and high impacts across confidentiality, integrity, and availability with scope change.

A regular member user with low privileges can exploit this vulnerability remotely without user interaction. By crafting a malicious Git Repository URL during project creation, the attacker injects shell commands that run with the privileges of the deployment process on the server hosting Coolify. This allows full compromise of the underlying server, including data exfiltration, modification of applications or databases, or further lateral movement within the environment.

The official GitHub security advisory (GHSA-5cg9-38qj-8mc3) confirms that updating to version 4.0.0-beta.420.7 patches the issue by addressing the lack of input sanitization in the Git Repository field. Security practitioners should immediately upgrade affected Coolify instances and review access controls for member users to prevent exploitation during project deployments.