CVE-2025-64419

CriticalPublic PoC

Published: 05 January 2026

Published

05 January 2026

Modified

12 January 2026

KEV Added

—

Patch

—

CVSS Score 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

EPSS Score 0.0015 35.8th percentile

Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Description

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.445, parameters coming from docker-compose.yaml are not sanitized when used in commands. If a victim user creates an application from an attacker repository (using…

build pack "docker compose"), the attacker can execute commands on the Coolify instance as root. Version 4.0.0-beta.445 fixes the issue.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly requires validation and sanitization of unsanitized parameters from docker-compose.yaml before passing to system commands, preventing command injection.

SI-2 Flaw Remediation good match

prevent

Mandates timely identification, reporting, and patching of the command injection flaw fixed in Coolify version 4.0.0-beta.445.

CM-11 User-installed Software partial match

prevent

Requires checking and validating software configurations from external attacker-controlled Git repositories before installation via docker compose build pack.

Security SummaryAI

CVE-2025-64419 is a command injection vulnerability (CWE-77) in Coolify, an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.445, parameters sourced from docker-compose.yaml files are not sanitized before being passed to system commands. This flaw has a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H), indicating critical severity with network accessibility, low attack complexity, no required privileges, user interaction needed, and high impacts across confidentiality, integrity, and availability.

An attacker can exploit this vulnerability by controlling a Git repository that a victim user pulls into their Coolify instance when creating an application using the "docker compose" build pack. The unsanitized parameters in the malicious docker-compose.yaml enable arbitrary command execution on the Coolify host as the root user, potentially allowing full compromise of the server, data exfiltration, persistence, or further lateral movement.

The Coolify security advisory (GHSA-234r-xrrg-m8f3) and associated fix commit (f86ccfaa9af572a5487da8ea46b0a125a4854cf6) confirm that upgrading to version 4.0.0-beta.445 or later resolves the issue through proper sanitization of docker-compose.yaml parameters. Security practitioners should advise users to update immediately, validate application sources, and review docker-compose configurations for any ongoing risks.

Details

CWE(s): CWE-77

Affected Products

coollabs

coolify

4.0.0 · ≤ 4.0.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

CVE enables exploitation of public-facing application (Coolify) via malicious Git repo and docker-compose.yaml leading to command injection for arbitrary Unix shell execution as root.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/coollabsio/coolify/commit/f86ccfaa9af572a5487da8ea46b0a125a4854cf6
Patch · security-advisories@github.com
https://github.com/coollabsio/coolify/security/advisories/GHSA-234r-xrrg-m8f3
Exploit, Vendor Advisory · security-advisories@github.com