External risk intelligence

Coolify Project Deployment Remote Code Execution Vulnerability.

CVE advisorySeverity: CRITICAL (CVSS 9.4)

CVE-2025-34161

Coolify is a self-hosted platform designed for managing application deployments and infrastructure. It is typically deployed as a centralized web-based management dashboard, often exposed to the internet or reachable across internal networks to facilitate remote administration and development workflows.

OS Command Injection

Coollabs Coolify

before 4.0.04.0.0

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

Coolify is affected by a critical vulnerability that allows authenticated users with basic privileges to execute arbitrary commands on the server. This could lead to a full system compromise. The primary concern is to confirm if your Coolify instances are affected and determine the potential exposure.

  • Allows basic users to run commands on the server.
  • Critical vulnerability could lead to full server compromise.
  • Confirm exposure and relevance to your environment.

Attack Path

How an attacker could exploit the issue

An attacker with low-level member privileges can inject arbitrary shell commands by manipulating the Git Repository field during project creation. This vulnerability, present in Coolify versions prior to v4.0.0-beta.420.7, allows for the execution of commands on the host system, potentially leading to a full server compromise.

  • Authenticated, low-privilege access required.
  • Inject commands via Git Repository field.
  • Full server compromise possible.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an authenticated user with member privileges to execute arbitrary commands on the server where Coolify is installed, potentially leading to a full system compromise. This occurs when a specially crafted repository string, containing shell command syntax, is provided during project creation.

  • Server host system commands.
  • Injecting commands into Git repository field.
  • Full server compromise.

Operational Fix

Recommended remediation, mitigation, and detection steps

In a real-world scenario, the platform or application owners are likely responsible for Coolify, as it manages project deployments. Infrastructure or platform teams would also be involved in ensuring the underlying host system's security. The first practical step is to identify all instances of Coolify, determine their reachability and criticality, and locate the accountable owner for remediation planning.

  • Platform owners should manage this issue.
  • Verify Coolify's reachability and criticality.
  • Plan remediation based on exposure.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Coolify?

Coolify is a self-hosted, all-in-one platform used to manage application deployments and server infrastructure. It acts as a centralized dashboard, helping developers and operations teams automate the process of moving code from repositories to running services on their own hosting environments.

What does CVE-2025-34161 mean for system security?

This vulnerability is classified as Improper Input Validation and OS Command Injection (CWE-20 and CWE-78). It means the application fails to properly sanitize user input, allowing an attacker to insert malicious system commands that the server will execute, resulting in full unauthorized control over the underlying host system.

How is this vulnerability triggered?

An attacker with authenticated, low-level member access triggers the bug by entering a specially crafted string into the Git Repository field when creating a new project. It is important to note that this requires valid authentication; unauthorized, anonymous users cannot trigger this specific injection path.

Is my instance relevant to this threat?

If you host a Coolify dashboard, it is likely relevant regardless of whether it is exposed to the internet or restricted to an internal network. According to Halo Surface Signal, because Coolify is designed to manage deployments and infrastructure, these dashboards are often accessible across networks, meaning any authenticated user could potentially exploit this.

What should I do to address CVE-2025-34161?

Your first step is to conduct an inventory to locate all active Coolify instances in your environment. Once identified, verify their current version to see if they are earlier than v4.0.0-beta.420.7. After confirming affected instances, coordinate with the responsible platform owners to plan and apply the necessary updates to the latest secure version.

References