The vulnerabilities pose severe risks to organizations deploying Coolify instances, particularly those exposed to the internet.
Security researchers have identified three distinct command-injection and information-disclosure flaws affecting multiple versions of Coolify.
According to Censys threat intelligence, approximately 52,650 exposed Coolify instances are currently trackable on the public internet, representing a significant attack surface for threat actors.
The vulnerabilities span two primary attack vectors: unauthenticated command injection via Docker Compose build parameters and authenticated privilege escalation through unsanitized git source input fields.
Additionally, a separate information disclosure flaw allows low-privileged users to extract private SSH keys, potentially enabling lateral movement and persistent access to underlying infrastructure.
| CVE ID | CVSS Score | Type | Impact |
|---|---|---|---|
| CVE-2025-64419 | 9.7 (v3.1) | Command Injection | Arbitrary command execution via Docker Compose |
| CVE-2025-64420 | 9.9 (v3.1) | Information Disclosure | Private SSH key exposure |
| CVE-2025-64424 | 9.4 (v4.0) | Command Injection | Authenticated RCE via git fields |
CVE-2025-64419 represents the most dangerous vector, exploiting unsanitized parameters in Docker Compose build packs.
Attackers can trigger code execution by convincing victims to build applications from attacker-controlled repositories, thereby bypassing authentication credentials entirely.
CVE-2025-64424 affects authenticated users with member-level privileges, enabling them to inject arbitrary commands through git source input fields in resource configuration.
The vulnerability stems from inadequate input sanitization before parameters are passed to system commands, making exploitation trivial.
CVE-2025-64420 constitutes an information disclosure flaw that permits low-privileged users to access private SSH keys stored on the Coolify instance.
Once extracted, these credentials can be used for SSH authentication, potentially granting elevated privileges on both the Coolify platform and the underlying servers.
Patches are available for CVE-2025-64419, with version 4.0.0-beta.445 addressing the vulnerability. However, the patch status for CVE-2025-64420 and CVE-2025-64424 remains unclear.
Organizations operating affected Coolify versions should prioritize immediate upgrades and consider restricting network access to affected instances until patches are deployed.
A proof-of-concept demonstration published on GitHub confirms the triviality of the command injection exploits, increasing the likelihood of active exploitation in the near term.
Security teams should treat these vulnerabilities as critical priorities requiring immediate remediation.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyber Press as a Preferred Source in Google.
The post Coolify Self-Hosting Platform Vulnerabilities Allow Attackers to Execute Arbitrary System Commands appeared first on Cyber Security News.
GREENFIELD — Under the threat of federal funding gaps, the United Way of the Franklin…
An accessible, touch-enabled, user-friendly image lightbox component written in plain JavaScript. Features: Zoom in/out images…
Civic engagement was on full display in West Rockhill Township on April 15 when about 150…
CULLMAN, Ala. – Cullman High School Theatre will present “Les Misérables: School Edition” Monday-Tuesday, April…
A confirmed bug in Microsoft Teams desktop client version 26072.519.4556.7438 is disabling the right-click paste…
This website uses cookies.