CVE-2025-64419
Published: 05 January 2026
Summary
CVE-2025-64419 is a critical-severity Command Injection (CWE-77) vulnerability in Coollabs Coolify. Its CVSS base score is 9.6 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation and sanitization of unsanitized parameters from docker-compose.yaml before passing to system commands, preventing command injection.
Mandates timely identification, reporting, and patching of the command injection flaw fixed in Coolify version 4.0.0-beta.445.
Requires checking and validating software configurations from external attacker-controlled Git repositories before installation via docker compose build pack.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables exploitation of public-facing application (Coolify) via malicious Git repo and docker-compose.yaml leading to command injection for arbitrary Unix shell execution as root.
NVD Description
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.445, parameters coming from docker-compose.yaml are not sanitized when used in commands. If a victim user creates an application from an attacker repository (using…
more
build pack "docker compose"), the attacker can execute commands on the Coolify instance as root. Version 4.0.0-beta.445 fixes the issue.
Deeper analysisAI
CVE-2025-64419 is a command injection vulnerability (CWE-77) in Coolify, an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.445, parameters sourced from docker-compose.yaml files are not sanitized before being passed to system commands. This flaw has a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H), indicating critical severity with network accessibility, low attack complexity, no required privileges, user interaction needed, and high impacts across confidentiality, integrity, and availability.
An attacker can exploit this vulnerability by controlling a Git repository that a victim user pulls into their Coolify instance when creating an application using the "docker compose" build pack. The unsanitized parameters in the malicious docker-compose.yaml enable arbitrary command execution on the Coolify host as the root user, potentially allowing full compromise of the server, data exfiltration, persistence, or further lateral movement.
The Coolify security advisory (GHSA-234r-xrrg-m8f3) and associated fix commit (f86ccfaa9af572a5487da8ea46b0a125a4854cf6) confirm that upgrading to version 4.0.0-beta.445 or later resolves the issue through proper sanitization of docker-compose.yaml parameters. Security practitioners should advise users to update immediately, validate application sources, and review docker-compose configurations for any ongoing risks.
Details
- CWE(s)