CVE-2025-64424
Published: 05 January 2026
Summary
CVE-2025-64424 is a high-severity Command Injection (CWE-77) vulnerability in Coollabs Coolify. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 35.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents command injection by requiring validation of untrusted inputs in git source fields before processing.
Addresses the root cause by identifying, reporting, and remediating the specific command injection flaw in Coolify.
Mitigates impact of successful injection by enforcing least privilege on processes handling user inputs, preventing root-level execution.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection in network-accessible git source input fields enables RCE as root from low-priv access, directly facilitating public-facing app exploitation (T1190), privilege escalation via exploitation (T1068), and Unix shell command execution (T1059.004).
NVD Description
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions up to and including v4.0.0-beta.434, a command injection vulnerability exists in the git source input fields of a resource, allowing a low privileged user…
more
(member) to execute system commands as root on the Coolify instance. As of time of publication, it is unclear if a patch is available.
Deeper analysisAI
CVE-2025-64424 is a command injection vulnerability (CWE-77) in Coolify, an open-source and self-hostable tool for managing servers, applications, and databases. The flaw exists in the git source input fields of a resource and affects versions up to and including v4.0.0-beta.434. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to network accessibility, low attack complexity, and significant impacts on confidentiality, integrity, and availability.
A low-privileged user with member access can exploit the vulnerability remotely without user interaction. By injecting malicious commands into the git source input fields, the attacker can execute arbitrary system commands as the root user on the Coolify instance, enabling full system compromise.
The primary references include the GitHub security advisory GHSA-qx24-jhwj-8w6x and a proof-of-concept at a Google Drive link. As of the CVE publication on January 5, 2026, it is unclear if a patch is available.
Details
- CWE(s)