CVE-2025-22606
Published: 24 January 2025
Summary
CVE-2025-22606 is a high-severity OS Command Injection (CWE-78) vulnerability in Coollabs Coolify. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked in the top 49.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 directly prevents command injection by requiring validation of project name inputs to reject unescaped characters like single quotes.
SI-2 ensures timely flaw remediation by requiring patching to version 4.0.0-beta.359 or later, eliminating the command injection vulnerability.
AC-6 applies least privilege to restrict the Coolify process permissions, limiting the impact of any injected shell commands executed on the host.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The command injection vulnerability (via unescaped project name input) directly enables execution of arbitrary shell commands on the host system.
NVD Description
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In version 4.0.0-beta.358 and possibly earlier versions, when creating or updating a "project," it is possible to inject arbitrary shell commands by altering the project name. If…
more
a name includes unescaped characters, such as single quotes (`'`), it breaks out of the intended command structure, allowing attackers to execute arbitrary commands on the host system. This vulnerability allows attackers to execute arbitrary commands on the host server, which could result in full system compromise; create, modify, or delete sensitive system files; and escalate privileges depending on the permissions of the executed process. Attackers with access to project management features could exploit this flaw to gain unauthorized control over the host environment. Version 4.0.0-beta.359 fixes this issue.
Deeper analysisAI
CVE-2025-22606 is a command injection vulnerability (CWE-78) in Coolify, an open-source, self-hostable tool for managing servers, applications, and databases. It affects version 4.0.0-beta.358 and possibly earlier versions. The flaw occurs when creating or updating a "project," where attackers can inject arbitrary shell commands by manipulating the project name with unescaped characters such as single quotes ('), which break out of the intended command structure and enable execution on the host system. The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H).
Attackers with local access and low privileges, such as those able to use project management features, can exploit this issue without user interaction. Successful exploitation allows arbitrary command execution on the host server, potentially leading to full system compromise, creation, modification, or deletion of sensitive files, and privilege escalation based on the permissions of the executed process.
The GitHub security advisory (GHSA-ccp8-v65g-m526) confirms that version 4.0.0-beta.359 addresses the issue by fixing the command injection in project name handling. Security practitioners should update to this patched version and review access controls for project management features.
Details
- CWE(s)