External risk intelligence

Coolify Stored Cross-Site Scripting Leads to Instance Compromise

CVE advisorySeverity: CRITICAL (CVSS 9.4)

CVE-2025-34157

Coolify is a self-hosted platform used to manage applications and infrastructure, typically deployed as an internet-facing web interface for service orchestration and management. Because it serves as a centralized administrative console accessible via web browser for developers and operators, it is frequently exposed to the network to facilitate remote management of infrastructure.

Cross-site Scripting

Coollabs Coolify

before 4.0.04.0.0

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in Coolify, a platform used for managing applications and infrastructure. The issue allows a low-privilege user to execute malicious code within an administrator's browser, potentially leading to a full compromise of the Coolify instance and access to sensitive information and managed servers.

  • Low-privilege users can gain administrator control.
  • Compromise of the instance means full access to data.
  • Confirm relevance and exposure to this vulnerability.

Attack Path

How an attacker could exploit the issue

An attacker with low-privilege access can create a project with a name containing malicious JavaScript. When an administrator attempts to delete this project or its resources, the script executes within the administrator's browser. This allows the attacker to gain full control over the Coolify instance, potentially leading to the compromise of sensitive information and managed server access.

  • Requires authenticated, low-privilege access.
  • Triggered by an administrator deleting a project.
  • Leads to full instance compromise.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an authenticated user with low privileges to compromise an entire Coolify instance. By creating a project with a malicious name, they can trigger a stored cross-site scripting attack when an administrator attempts to manage that project. This could lead to the theft of sensitive API tokens and session cookies, as well as unauthorized access to terminal sessions on managed servers.

  • Coolify instance and its sensitive data.
  • Malicious project name triggers XSS.
  • Full instance compromise and data theft.

Operational Fix

Recommended remediation, mitigation, and detection steps

Application owners and infrastructure teams are likely responsible for addressing this vulnerability. The first step is to identify all instances of Coolify within the environment, confirm their accessibility and business criticality, and then determine the accountable owner for remediation planning.

  • Application owners should manage the issue.
  • Verify external reachability and business impact.
  • Plan and coordinate remediation activities.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Coolify?

Coolify is a self-hosted, all-in-one platform used to manage applications, databases, and infrastructure. It provides a centralized web interface that allows developers and administrators to orchestrate deployments and monitor their services from a single console.

What does CVE-2025-34157 mean?

This CVE identifies a stored cross-site scripting (XSS) vulnerability. An attacker can inject malicious JavaScript into a project name. Because the application fails to properly sanitize this input, the script is saved and later runs inside an administrator's browser, potentially giving the attacker full control over the Coolify instance.

How is the malicious code triggered?

The attack requires a low-privilege authenticated user to create a project with a malicious name. However, the code does not execute immediately upon creation. It only triggers when an administrator views the project and attempts to delete it or its associated resources, causing the browser to execute the stored script.

Is my Coolify instance at risk?

Halo Surface Signal indicates that Coolify instances are typically deployed as internet-facing web interfaces to enable remote infrastructure management. If your instance is reachable over the network, it faces a higher profile for this vulnerability since it is intended for administrative access.

What should I do to secure my Coolify setup?

Begin by identifying all Coolify installations within your environment to assess their business importance. Coordinate with the relevant owners to plan updates, as the vulnerability affects specific versions prior to v4.0.0-beta.420.6. Prioritize verifying if your instance is exposed to the internet while you prepare to apply the necessary patches.

References