CVE-2025-22606
📋 TL;DR
Coolify versions before 4.0.0-beta.359 contain a command injection vulnerability in project name handling that allows authenticated attackers to execute arbitrary shell commands on the host system. This affects all deployments running vulnerable versions of the Coolify self-hosted server management platform. Attackers with access to project management features can exploit this to compromise the underlying server.
💻 Affected Systems
- Coolify
📦 What is this software?
Coolify by Coollabs
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise allowing attackers to create, modify, or delete sensitive system files, install malware, steal credentials, and escalate privileges to root access.
Likely Case
Unauthorized command execution leading to data theft, service disruption, and lateral movement within the network.
If Mitigated
Limited impact if proper network segmentation and least-privilege access controls are implemented, though command execution would still be possible.
🎯 Exploit Status
Exploitation requires authenticated access to project management features. The vulnerability is in the project name parameter where unescaped single quotes allow command injection.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.0.0-beta.359
Vendor Advisory: https://github.com/coollabsio/coolify/security/advisories/GHSA-ccp8-v65g-m526
Restart Required: No
Instructions:
1. Update Coolify to version 4.0.0-beta.359 or later. 2. Run the update command specific to your installation method (docker-compose pull && docker-compose up -d for Docker installations). 3. Verify the update completed successfully.
🔧 Temporary Workarounds
Input Validation and Sanitization
allImplement strict input validation on project names to reject special characters and shell metacharacters.
Restrict Project Management Access
allLimit access to project creation and modification features to only trusted administrators.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Coolify instances from critical systems
- Apply strict access controls and monitor all project management activities for suspicious patterns
🔍 How to Verify
Check if Vulnerable:
Check your Coolify version. If it's 4.0.0-beta.358 or earlier, you are vulnerable.Check Version:
Check the Coolify web interface dashboard or run 'docker ps' to see the container version if using DockerVerify Fix Applied:
After updating, verify the version is 4.0.0-beta.359 or later and test that project names with special characters are properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual project creation/modification events
- Shell command execution in project name parameters
- Failed authentication attempts followed by project management activities
Network Indicators:
- Unexpected outbound connections from Coolify host
- Unusual process execution patterns
SIEM Query:
source="coolify" AND (event="project_create" OR event="project_update") AND name CONTAINS ["'", ";", "|", "&", "`"]