CVE-2025-22605
Published: 24 January 2025
Summary
CVE-2025-22605 is a high-severity OS Command Injection (CWE-78) vulnerability in Coollabs Coolify. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked at the 44.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents OS command injection (CWE-78) by enforcing input validation mechanisms at the vulnerable remoteProcess.php command execution point.
Ensures timely identification, reporting, and patching of the specific Coolify vulnerability fixed in version 4.0.0-beta.253.
Limits the scope and impact of arbitrary code execution on the Coolify container by enforcing least privilege on processes handling remote commands.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection (CWE-78) directly enables arbitrary Unix shell command execution on the local container by low-privilege authenticated users (T1059.004); this is exploited for privilege escalation to achieve high-impact code execution, data access, and control (T1068).
NVD Description
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Starting in version 4.0.0-beta.18 and prior to 4.0.0-beta.253, a vulnerability in the execution of commands on remote servers allows an authenticated user to execute arbitrary code on…
more
the local Coolify container, gaining access to data and private keys or tokens of other users/teams. The ability to inject malicious commands into the Coolify container gives authenticated attackers the ability to fully retrieve and control the data and availability of the software. Centrally hosted Coolify instances (open registration and/or multiple teams with potentially untrustworthy users) are especially at risk, as sensitive data of all users and connected servers can be leaked by any user. Additionally, attackers are able to modify the running software, potentially deploying malicious images to remote nodes or generally changing its behavior. Version 4.0.0-beta.253 patches this issue.
Deeper analysisAI
CVE-2025-22605 is an OS command injection vulnerability (CWE-78) in Coolify, an open-source self-hostable tool for managing servers, applications, and databases. The flaw resides in the execution of commands on remote servers, specifically within the `bootstrap/helpers/remoteProcess.php` component at line 70. It affects Coolify versions starting from 4.0.0-beta.18 up to but not including 4.0.0-beta.253. The vulnerability has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high confidentiality, integrity, and availability impacts with low attack complexity and requiring local access and low privileges.
An authenticated user with local access to the Coolify instance can exploit this vulnerability to execute arbitrary code on the local Coolify container. This grants attackers access to sensitive data, private keys, and tokens belonging to other users or teams, as well as full control over the software's data and availability. In multi-tenant or centrally hosted Coolify setups with open registration or untrustworthy users, the risk is amplified, as any user could leak data from all users and connected servers. Attackers can also modify the running software, deploy malicious images to remote nodes, or alter its overall behavior.
The vulnerability is patched in Coolify version 4.0.0-beta.253, as detailed in the project's GitHub security advisory (GHSA-9wqm-fg79-4748), the fixing commit (353245bb7de9680f238bae30443af1696bc977b0), and related pull requests (#1524 and #1625). Security practitioners should update to the patched version immediately, particularly for instances hosting multiple teams or enabling open registration, and review access controls to limit authenticated users with local access.
Details
- CWE(s)