Cyber Resilience

CVE-2025-34161

CriticalPublic PoCRCE

Published: 27 August 2025

Published
27 August 2025
Modified
19 September 2025
KEV Added
Patch
CVSS Score v4 9.4 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0119 79.3th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-34161 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Coollabs Coolify. Its CVSS base score is 9.4 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked in the top 20.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

Coolify versions prior to v4.0.0-beta.420.7 are affected by a remote code execution vulnerability in the project deployment workflow. The flaw arises from improper input validation that permits command injection through the Git Repository field, as indicated by the associated CWE-20 and CWE-78 classifications and the critical CVSS 9.4 score reflecting network-accessible impact with low attack complexity.

Authenticated users holding low-level member privileges can exploit the issue by submitting a crafted repository string containing shell metacharacters during project creation. Successful injection results in arbitrary command execution on the underlying host, enabling full server compromise without requiring user interaction or elevated privileges.

The vendor released a fix in v4.0.0-beta.420.7, available via the project's GitHub repository. The EPSS score has remained flat at 0.0119 with no material increase since disclosure.

EU & UK References

Vulnerability details

Coolify versions prior to v4.0.0-beta.420.7 are vulnerable to a remote code execution vulnerability in the project deployment workflow. The platform allows authenticated users, with low-level member privileges, to inject arbitrary shell commands via the Git Repository field during project creation.…

more

By submitting a crafted repository string containing command injection syntax, an attacker can execute arbitrary commands on the underlying host system, resulting in full server compromise.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

The vulnerability enables authenticated low-privileged users to perform Unix shell command injection (T1059.004) via the Git Repository field during project deployment, facilitating exploitation of the remote Coolify service (T1210) for privilege escalation to full host compromise (T1068).

CVEs Like This One

CVE-2025-66211Same product: Coollabs Coolify
CVE-2025-66212Same product: Coollabs Coolify
CVE-2025-59156Same product: Coollabs Coolify
CVE-2025-66209Same product: Coollabs Coolify
CVE-2025-22605Same product: Coollabs Coolify
CVE-2025-66210Same product: Coollabs Coolify
CVE-2025-22606Same product: Coollabs Coolify
CVE-2025-59157Same product: Coollabs Coolify
CVE-2025-66213Same product: Coollabs Coolify
CVE-2025-34159Same product: Coollabs Coolify

Affected Assets

coollabs
coolify
4.0.0 · ≤ 4.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 directly mandates input validation mechanisms at entry points like the Git Repository field, preventing command injection by rejecting malformed inputs containing shell metacharacters.

prevent

SI-2 requires timely identification, reporting, and correction of system flaws, such as this RCE vulnerability, through patching to Coolify v4.0.0-beta.420.7 or later.

prevent

AC-6 enforces least privilege, limiting low-level member access to project creation functions and thereby reducing the risk of exploitation by unauthorized or low-privileged users.

References