External risk intelligence

Coolify Remote Code Execution via Malicious Docker Directives

CVE advisorySeverity: CRITICAL (CVSS 9.4)

CVE-2025-34159

Coolify is a self-hosted platform used to manage application deployments. Its role as a centralized management dashboard and CI/CD orchestration interface means it is commonly deployed as a web-accessible application to allow teams to manage services remotely. While it requires authentication, it is designed to be a reachable, centralized administrative service.

Code Injection

Coollabs Coolify

before 4.0.04.0.0

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability impacts Coolify, a platform for managing application deployments, specifically affecting versions prior to v4.0.0-beta.420.6. It allows authenticated users with low-level privileges to gain full administrative control of the underlying server by injecting malicious code into the deployment process. The main concern is confirming relevance and exposure.

  • Unauthorized users can seize full server control.
  • It affects deployment tools, a critical infrastructure component.
  • Assess exposure and confirm relevance to your environment.

Attack Path

How an attacker could exploit the issue

An attacker with low-level member privileges can exploit this vulnerability by creating a project and injecting malicious Docker Compose directives. This allows them to mount the host's root filesystem, ultimately leading to full root access on the underlying server.

  • Authenticated access required.
  • Malicious Docker Compose injection.
  • Full root server compromise.

Live Threat

Current exploitation, exposure, and threat context

An authenticated user with member privileges could leverage this vulnerability to inject malicious Docker Compose directives. This could lead to the mounting of the host's root filesystem, effectively granting root access to the underlying server.

  • Server root filesystem access.
  • Malicious directives injected during project creation.
  • Full root control of the server.

Operational Fix

Recommended remediation, mitigation, and detection steps

The Coolify platform, specifically versions prior to v4.0.0-beta.420.6, presents a critical remote code execution risk. This vulnerability allows authenticated users with low-level privileges to inject malicious Docker Compose directives, potentially granting attackers root access to the underlying server by mounting the host's filesystem. The first practical move involves identifying all instances of Coolify, confirming their reachability and business criticality, and then locating the accountable owner for remediation planning.

  • Application owners should manage this issue.
  • Verify affected Coolify instances and their exposure.
  • Plan remediation during scheduled maintenance windows.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Coolify?

Coolify is a self-hosted platform used to simplify application deployment and manage server infrastructure. It acts as a centralized dashboard and CI/CD orchestration interface, allowing teams to remotely manage various services and projects from a single web-based console.

What does CVE-2025-34159 mean?

This is a critical security vulnerability involving Improper Input Validation (CWE-20) and Code Injection (CWE-94). Essentially, the software fails to properly check input during the project creation process, allowing an authenticated user to insert unauthorized, malicious commands that the system then executes with elevated privileges.

How is this vulnerability triggered?

An authenticated user with low-level member privileges can exploit this by injecting malicious directives into a Docker Compose configuration during project creation. This bug is triggered by manipulating these specific deployment settings; actions that do not involve modifying project service definitions through the deployment workflow are not part of this trigger path.

Is my Coolify instance at risk?

According to Halo Surface Signal, Coolify is often deployed as a web-accessible administrative service, making it a likely target if reachable over the network. Anyone running an affected version—any version prior to v4.0.0-beta.420.6—should consider their instance relevant if it allows users to log in, as even low-privileged accounts can leverage this flaw for full server control.

What should I do if I run Coolify?

Your first step is to identify all deployed instances and verify their current version number. If you are running a version prior to v4.0.0-beta.420.6, plan to update to a secure version as soon as possible. Consult the official Coolify project release notes for the specific update path and coordinate the maintenance with the relevant application owners.

References