CVE-2025-59157
Published: 05 January 2026
Summary
CVE-2025-59157 is a critical-severity OS Command Injection (CWE-78) vulnerability in Coollabs Coolify. Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 43.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 directly addresses the lack of input sanitization in the Git Repository field by requiring validation of user inputs to block command injection.
SI-2 mandates timely flaw remediation, including patching Coolify to version 4.0.0-beta.420.7 to eliminate the command injection vulnerability.
AC-6 enforces least privilege on the deployment process, limiting the impact of injected commands even if validation fails.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection vulnerability in web-based Git Repository field of Coolify enables remote exploitation of a public-facing application (T1190) and arbitrary Unix shell command execution (T1059.004) with deployment privileges.
NVD Description
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.420.7, the Git Repository field during project creation is vulnerable to command injection. User input is not properly sanitized, allowing attackers to inject arbitrary…
more
shell commands that execute on the underlying server during the deployment workflow. A regular member user can exploit this vulnerability. Version 4.0.0-beta.420.7 contains a patch for the issue.
Deeper analysisAI
CVE-2025-59157 is a command injection vulnerability (CWE-78) in Coolify, an open-source and self-hostable tool for managing servers, applications, and databases. The issue affects versions prior to 4.0.0-beta.420.7, specifically in the Git Repository field during project creation. User input in this field is not properly sanitized, enabling the injection of arbitrary shell commands that execute on the underlying server as part of the deployment workflow. The vulnerability has a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low complexity, and high impacts across confidentiality, integrity, and availability with scope change.
A regular member user with low privileges can exploit this vulnerability remotely without user interaction. By crafting a malicious Git Repository URL during project creation, the attacker injects shell commands that run with the privileges of the deployment process on the server hosting Coolify. This allows full compromise of the underlying server, including data exfiltration, modification of applications or databases, or further lateral movement within the environment.
The official GitHub security advisory (GHSA-5cg9-38qj-8mc3) confirms that updating to version 4.0.0-beta.420.7 patches the issue by addressing the lack of input sanitization in the Git Repository field. Security practitioners should immediately upgrade affected Coolify instances and review access controls for member users to prevent exploitation during project deployments.
Details
- CWE(s)