CVE-2025-59157
9.9 CRITICAL
📋 TL;DR
CVE-2025-59157 is a command injection vulnerability in Coolify's Git Repository field during project creation. Unauthenticated user input is not properly sanitized, allowing attackers to execute arbitrary shell commands on the underlying server. This affects all Coolify instances running versions prior to 4.0.0-beta.420.7.
💻 Affected Systems
Products:
- Coolify
Versions: All versions prior to 4.0.0-beta.420.7
Operating Systems: Linux, Windows, macOS
Default Config Vulnerable:
⚠️ Yes
Notes: All default installations are vulnerable. The vulnerability exists in the project creation workflow.
📦 What is this software?
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise leading to data theft, lateral movement, ransomware deployment, or persistent backdoor installation.
Likely Case
Unauthorized code execution leading to application compromise, data exfiltration, or service disruption.
If Mitigated
Limited impact if proper network segmentation and least privilege principles are enforced.
🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH
🎯 Exploit Status
Public PoC:
✅ No
Weaponized:
LIKELY
Unauthenticated Exploit:
✅ No
Complexity:
LOW
Exploitation requires regular member user access. The vulnerability is straightforward to exploit once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.0.0-beta.420.7
Vendor Advisory: https://github.com/coollabsio/coolify/security/advisories/GHSA-5cg9-38qj-8mc3
Restart Required: Yes
Instructions:
1. Backup your Coolify configuration and data. 2. Update Coolify to version 4.0.0-beta.420.7 or later using your deployment method. 3. Restart the Coolify service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Input Validation Filter
allImplement custom input validation for Git repository URLs to reject suspicious characters.
Not applicable - requires code modification
Network Segmentation
linuxIsolate Coolify server from sensitive systems and implement strict firewall rules.
iptables -A INPUT -s 0.0.0.0/0 -p tcp --dport 80 -j DROP
ufw deny from any to any port 80
🧯 If You Can't Patch
- Restrict user permissions to prevent regular members from creating projects.
- Implement web application firewall (WAF) rules to block command injection patterns.
🔍 How to Verify
Check if Vulnerable:
Check Coolify version in admin panel or via API. If version is below 4.0.0-beta.420.7, system is vulnerable.Check Version:
curl -s http://localhost:3000/api/version | grep versionVerify Fix Applied:
After updating, attempt to inject basic test payloads in Git Repository field and verify they are rejected.📡 Detection & Monitoring
Log Indicators:
- Unusual shell commands in deployment logs
- Suspicious Git repository URLs containing shell metacharacters
- Failed deployment attempts with error messages
Network Indicators:
- Unexpected outbound connections from Coolify server
- Unusual process spawning patterns
SIEM Query:
source="coolify.log" AND ("git clone" OR "deployment") AND ("|" OR ";" OR "$" OR "`" OR "&&" OR "||")