Cyber Posture

CVE-2025-64424

HighPublic PoC

Published: 05 January 2026

Published
05 January 2026
Modified
12 January 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0047 64.5th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions up to and including v4.0.0-beta.434, a command injection vulnerability exists in the git source input fields of a resource, allowing a low privileged user…

more

(member) to execute system commands as root on the Coolify instance. As of time of publication, it is unclear if a patch is available.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly prevents command injection by requiring validation of untrusted inputs in git source fields before processing.

SI-2 Flaw Remediation good match
prevent

Addresses the root cause by identifying, reporting, and remediating the specific command injection flaw in Coolify.

AC-6 Least Privilege partial match
prevent

Mitigates impact of successful injection by enforcing least privilege on processes handling user inputs, preventing root-level execution.

Security SummaryAI

CVE-2025-64424 is a command injection vulnerability (CWE-77) in Coolify, an open-source and self-hostable tool for managing servers, applications, and databases. The flaw exists in the git source input fields of a resource and affects versions up to and including v4.0.0-beta.434. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to network accessibility, low attack complexity, and significant impacts on confidentiality, integrity, and availability.

A low-privileged user with member access can exploit the vulnerability remotely without user interaction. By injecting malicious commands into the git source input fields, the attacker can execute arbitrary system commands as the root user on the Coolify instance, enabling full system compromise.

The primary references include the GitHub security advisory GHSA-qx24-jhwj-8w6x and a proof-of-concept at a Google Drive link. As of the CVE publication on January 5, 2026, it is unclear if a patch is available.

Details

CWE(s)
CWE-77

Affected Products

coollabs
coolify
4.0.0 · ≤ 4.0.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
Why these techniques?

Command injection in network-accessible git source input fields enables RCE as root from low-priv access, directly facilitating public-facing app exploitation (T1190), privilege escalation via exploitation (T1068), and Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References