CVE-2025-34161
Published: 27 August 2025
Summary
CVE-2025-34161 is a high-severity Improper Input Validation (CWE-20) vulnerability in Coollabs Coolify. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked in the top 23.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 directly mandates input validation mechanisms at entry points like the Git Repository field, preventing command injection by rejecting malformed inputs containing shell metacharacters.
SI-2 requires timely identification, reporting, and correction of system flaws, such as this RCE vulnerability, through patching to Coolify v4.0.0-beta.420.7 or later.
AC-6 enforces least privilege, limiting low-level member access to project creation functions and thereby reducing the risk of exploitation by unauthorized or low-privileged users.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables authenticated low-privileged users to perform Unix shell command injection (T1059.004) via the Git Repository field during project deployment, facilitating exploitation of the remote Coolify service (T1210) for privilege escalation to full host compromise (T1068).
NVD Description
Coolify versions prior to v4.0.0-beta.420.7 are vulnerable to a remote code execution vulnerability in the project deployment workflow. The platform allows authenticated users, with low-level member privileges, to inject arbitrary shell commands via the Git Repository field during project creation.…
more
By submitting a crafted repository string containing command injection syntax, an attacker can execute arbitrary commands on the underlying host system, resulting in full server compromise.
Deeper analysisAI
Coolify, a self-hosted alternative to platforms like Heroku, in versions prior to v4.0.0-beta.420.7, contains a remote code execution (RCE) vulnerability in its project deployment workflow. The issue stems from improper input validation in the Git Repository field during project creation, allowing authenticated users to inject arbitrary shell commands. Classified under CWE-20 (Improper Input Validation) and CWE-78 (Improper Neutralization of Special Elements used in an OS Command), it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for complete host compromise.
An attacker with low-level member privileges on a Coolify instance can exploit this by submitting a crafted Git repository string containing command injection syntax, such as appending shell metacharacters to trigger execution during the deployment process. This network-accessible vulnerability requires no user interaction and low privileges, enabling remote arbitrary command execution on the underlying host system. Successful exploitation results in full server compromise, potentially allowing data exfiltration, persistence, or further lateral movement.
Mitigation is available via an update to Coolify v4.0.0-beta.420.7 or later, as detailed in the project's release notes. Security practitioners should immediately patch affected instances, review access controls for member privileges, and audit project creation logs for suspicious Git repository inputs. Additional details are provided in the Coolify documentation at coolify.io and proof-of-concept resources on GitHub.
Details
- CWE(s)