CVE-2025-34159
Published: 27 August 2025
Summary
CVE-2025-34159 is a high-severity Improper Input Validation (CWE-20) vulnerability in Coollabs Coolify. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 31.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-5 (Access Restrictions for Change) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses improper input validation by requiring checks on Docker Compose directives to block malicious service definitions that mount the host root filesystem.
Restricts access to privileged functions like project creation and application deployment to authorized roles only, preventing low-privilege members from injecting arbitrary Docker Compose configurations.
Mandates monitoring for flaws like this RCE vulnerability and applying vendor patches, such as upgrading Coolify to v4.0.0-beta.420.7 or later.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables low-privileged authenticated users to inject malicious Docker Compose configurations during deployment (T1610), mounting the host root filesystem to escape container isolation (T1611), execute arbitrary Unix shell commands as root (T1059.004), and achieve privilege escalation via exploitation (T1068).
NVD Description
Coolify versions prior to v4.0.0-beta.420.6 are vulnerable to a remote code execution vulnerability in the application deployment workflow. The platform allows authenticated users, with low-level member privileges, to inject arbitrary Docker Compose directives during project creation. By crafting a malicious…
more
service definition that mounts the host root filesystem, an attacker can gain full root access to the underlying server.
Deeper analysisAI
Coolify, a self-hosted platform for deploying applications, suffers from a remote code execution vulnerability (CVE-2025-34159) in versions prior to v4.0.0-beta.420.6. The flaw resides in the application deployment workflow, where authenticated users can inject arbitrary Docker Compose directives during project creation. This improper input validation (CWE-20) enables code injection (CWE-94), allowing attackers to craft malicious service definitions that mount the host root filesystem. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for complete system compromise.
Attackers require only low-level member privileges and valid authentication to exploit this remotely over the network with no user interaction needed. By submitting a specially crafted Docker Compose file during project setup, they can escalate privileges to full root access on the underlying server, enabling arbitrary code execution, data exfiltration, persistence, or further lateral movement.
Mitigation is available via upgrading to Coolify v4.0.0-beta.420.7 or later, as indicated in the project's release notes. Additional details and a proof-of-concept are provided in the dedicated GitHub repository at https://github.com/Eyodav/CVE-2025-34159, with official documentation on the Coolify site at https://coolify.io/. Security practitioners should audit access controls for member roles and monitor deployment logs for suspicious Docker Compose configurations.
Details
- CWE(s)