CVE-2025-64424
Published: 05 January 2026
Summary
CVE-2025-64424 is a critical-severity Command Injection (CWE-77) vulnerability in Coollabs Coolify. Its CVSS base score is 9.4 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 22.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-64424 is a command injection vulnerability (CWE-77) in Coolify, an open-source and self-hostable tool for managing servers, applications, and databases. The flaw exists in the git source input fields of a resource and affects versions up to and including v4.0.0-beta.434. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to network accessibility, low attack complexity, and significant impacts on confidentiality, integrity, and availability.
A low-privileged user with member access can exploit the vulnerability remotely without user interaction. By injecting malicious commands into the git source input fields, the attacker can execute arbitrary system commands as the root user on the Coolify instance, enabling full system compromise.
The primary references include the GitHub security advisory GHSA-qx24-jhwj-8w6x and a proof-of-concept at a Google Drive link. As of the CVE publication on January 5, 2026, it is unclear if a patch is available.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-206232
Vulnerability details
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions up to and including v4.0.0-beta.434, a command injection vulnerability exists in the git source input fields of a resource, allowing a low privileged user…
more
(member) to execute system commands as root on the Coolify instance. As of time of publication, it is unclear if a patch is available.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection in network-accessible git source input fields enables RCE as root from low-priv access, directly facilitating public-facing app exploitation (T1190), privilege escalation via exploitation (T1068), and Unix shell command execution (T1059.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents command injection by requiring validation of untrusted inputs in git source fields before processing.
Addresses the root cause by identifying, reporting, and remediating the specific command injection flaw in Coolify.
Mitigates impact of successful injection by enforcing least privilege on processes handling user inputs, preventing root-level execution.