CVE-2025-34161
Published: 27 August 2025
Summary
CVE-2025-34161 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Coollabs Coolify. Its CVSS base score is 9.4 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked in the top 20.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
Coolify versions prior to v4.0.0-beta.420.7 are affected by a remote code execution vulnerability in the project deployment workflow. The flaw arises from improper input validation that permits command injection through the Git Repository field, as indicated by the associated CWE-20 and CWE-78 classifications and the critical CVSS 9.4 score reflecting network-accessible impact with low attack complexity.
Authenticated users holding low-level member privileges can exploit the issue by submitting a crafted repository string containing shell metacharacters during project creation. Successful injection results in arbitrary command execution on the underlying host, enabling full server compromise without requiring user interaction or elevated privileges.
The vendor released a fix in v4.0.0-beta.420.7, available via the project's GitHub repository. The EPSS score has remained flat at 0.0119 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-25912
Vulnerability details
Coolify versions prior to v4.0.0-beta.420.7 are vulnerable to a remote code execution vulnerability in the project deployment workflow. The platform allows authenticated users, with low-level member privileges, to inject arbitrary shell commands via the Git Repository field during project creation.…
more
By submitting a crafted repository string containing command injection syntax, an attacker can execute arbitrary commands on the underlying host system, resulting in full server compromise.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables authenticated low-privileged users to perform Unix shell command injection (T1059.004) via the Git Repository field during project deployment, facilitating exploitation of the remote Coolify service (T1210) for privilege escalation to full host compromise (T1068).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 directly mandates input validation mechanisms at entry points like the Git Repository field, preventing command injection by rejecting malformed inputs containing shell metacharacters.
SI-2 requires timely identification, reporting, and correction of system flaws, such as this RCE vulnerability, through patching to Coolify v4.0.0-beta.420.7 or later.
AC-6 enforces least privilege, limiting low-level member access to project creation functions and thereby reducing the risk of exploitation by unauthorized or low-privileged users.