CVE-2025-59156
Published: 05 January 2026
Summary
CVE-2025-59156 is a critical-severity OS Command Injection (CWE-78) vulnerability in Coollabs Coolify. Its CVSS base score is 9.4 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked in the top 43.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-59156 is a Remote Code Execution (RCE) vulnerability (CVSS 8.8; CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) affecting Coolify, an open-source and self-hostable tool for managing servers, applications, and databases. The flaw, linked to CWE-78 (OS Command Injection), exists in Coolify's application deployment workflow prior to version 4.0.0-beta.420.7. It enables attackers to inject arbitrary Docker Compose directives during project creation or updates.
A low-privileged member can exploit this vulnerability remotely with low complexity and no user interaction required. By defining a malicious service in the Docker Compose configuration that mounts the host filesystem, the attacker achieves root-level command execution on the host operating system, fully bypassing container isolation and granting complete control over the underlying infrastructure.
The official Coolify security advisory (GHSA-h5xw-7xvp-xrxr) at https://github.com/coollabsio/coolify/security/advisories/GHSA-h5xw-7xvp-xrxr confirms the issue and states that version 4.0.0-beta.420.7 contains a patch. Security practitioners should upgrade to this version or later to mitigate the vulnerability.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-206241
Vulnerability details
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.420.7, a Remote Code Execution (RCE)*vulnerability exists in Coolify's application deployment workflow. This flaw allows a low-privileged member to inject arbitrary Docker Compose directives…
more
during project creation or updates. By defining a malicious service that mounts the host filesystem, an attacker can achieve root-level command execution on the host OS, completely bypassing container isolation. Version 4.0.0-beta.420.7 contains a patch for the issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The OS command injection vulnerability in Coolify's deployment workflow (Docker Compose directives) directly enables remote service exploitation (T1210), privilege escalation from low-priv to root (T1068), Unix shell command execution (T1059.004), and container escape to host via malicious bind mounts (T1611).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the RCE vulnerability by requiring timely remediation through patching Coolify to version 4.0.0-beta.420.7 or later.
Validates and sanitizes inputs to the application deployment workflow to block injection of arbitrary malicious Docker Compose directives.
Enforces least privilege to restrict low-privileged members from creating or updating projects in ways that could inject host filesystem mounts leading to RCE.