Description
Coolify versions prior to v4.0.0-beta.420.6 are vulnerable to a stored cross-site scripting (XSS) attack in the project creation workflow. An authenticated user with low privileges can create a project with a maliciously crafted name containing embedded JavaScript. When an administrator attempts to delete the project or its associated resource, the payload executes in the admin’s browser context. This results in full compromise of the Coolify instance, including theft of API tokens, session cookies, and access to WebSocket-based terminal sessions on managed servers.
EPSS Score:
0%
Comprehensive Technical Analysis of EUVD-2025-25910
1. Vulnerability Assessment and Severity Evaluation
The vulnerability described in EUVD-2025-25910 pertains to a stored cross-site scripting (XSS) attack in Coolify versions prior to v4.0.0-beta.420.6. This vulnerability allows an authenticated user with low privileges to inject malicious JavaScript into the project creation workflow. When an administrator interacts with the malicious project, the script executes in the admin’s browser context, leading to a full compromise of the Coolify instance.
Severity Evaluation:
- Base Score: 9.4 (CVSS:4.0)
- Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
The high base score indicates a critical vulnerability due to the potential for significant impact on confidentiality, integrity, and availability. The attack vector is network-based (AV:N), requires low complexity (AC:L), and does not need specialized conditions (AT:N). The attacker requires low privileges (PR:L) and user interaction (UI:P). The impact on confidentiality, integrity, and availability is high (VC:H, VI:H, VA:H), and the scope change is also high (SC:H, SI:H, SA:H).
2. Potential Attack Vectors and Exploitation Methods
Attack Vectors:
- Stored XSS: An authenticated user with low privileges can create a project with a maliciously crafted name containing embedded JavaScript.
- Admin Interaction: The payload executes when an administrator attempts to delete the project or its associated resource.
Exploitation Methods:
- JavaScript Injection: The attacker injects JavaScript code into the project name field.
- Browser Execution: When the admin interacts with the malicious project, the JavaScript code executes in the admin’s browser context.
- Data Theft: The malicious script can steal API tokens, session cookies, and access WebSocket-based terminal sessions on managed servers.
3. Affected Systems and Software Versions
Affected Software:
- Coolify versions prior to v4.0.0-beta.420.6
Affected Systems:
- Any system running the vulnerable versions of Coolify, including but not limited to:
- Cloud-based deployments
- On-premises installations
- Managed servers with WebSocket-based terminal sessions
4. Recommended Mitigation Strategies
Immediate Mitigation:
- Upgrade: Upgrade to Coolify version v4.0.0-beta.420.7 or later, which includes the patch for this vulnerability.
- Input Sanitization: Ensure all user inputs are properly sanitized and validated to prevent XSS attacks.
- Content Security Policy (CSP): Implement a strong CSP to mitigate the impact of XSS attacks.
- User Education: Educate users about the risks of XSS and the importance of not interacting with suspicious content.
Long-Term Mitigation:
- Regular Audits: Conduct regular security audits and code reviews to identify and fix similar vulnerabilities.
- Security Training: Provide security training for developers to understand and prevent common vulnerabilities like XSS.
- Monitoring: Implement monitoring and logging to detect and respond to suspicious activities.
5. Impact on European Cybersecurity Landscape
The vulnerability in Coolify poses a significant risk to organizations using the software, particularly those in the European Union. The potential for full compromise of Coolify instances can lead to data breaches, unauthorized access, and disruption of services. This underscores the importance of timely patching and adherence to best security practices.
Regulatory Implications:
- GDPR Compliance: Organizations must ensure they comply with GDPR regulations, especially regarding data protection and breach reporting.
- ENISA Guidelines: Follow ENISA guidelines for vulnerability management and incident response.
6. Technical Details for Security Professionals
Vulnerability Details:
- Type: Stored XSS
- Location: Project creation workflow
- Trigger: Admin interaction with the malicious project
- Payload: Embedded JavaScript in the project name
Detection and Response:
- Detection: Implement intrusion detection systems (IDS) and web application firewalls (WAF) to detect and block XSS attempts.
- Response: Have an incident response plan in place to quickly address any detected vulnerabilities or attacks.
References:
- GitHub Release: Coolify v4.0.0-beta.420.7
- Vendor Website: Coolify
- CVE Reference: CVE-2025-34157
Conclusion: The vulnerability in Coolify highlights the critical need for robust input validation, regular updates, and proactive security measures. Organizations should prioritize upgrading to the patched version and implementing additional security controls to mitigate the risk of XSS attacks.
This analysis provides a comprehensive overview for cybersecurity professionals to understand the vulnerability, its impact, and the necessary steps to mitigate the risk effectively.