CVE-2025-22606

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-22606
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In version 4.0.0-beta.358 and possibly earlier versions, when creating or updating a "project," it is possible to inject arbitrary shell commands by altering the project name. If a name includes unescaped characters, such as single quotes (`'`), it breaks out of the intended command structure, allowing attackers to execute arbitrary commands on the host system. This vulnerability allows attackers to execute arbitrary commands on the host server, which could result in full system compromise; create, modify, or delete sensitive system files; and escalate privileges depending on the permissions of the executed process. Attackers with access to project management features could exploit this flaw to gain unauthorized control over the host environment. Version 4.0.0-beta.359 fixes this issue.

7.8 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/coollabsio/coolify/security/advisories/GHSA-ccp8-v65g-m526 Exploit Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:coollabs:coolify:4.0.0:beta358:*:*:*:*:*:*
History

19 Sep 2025, 15:12

Type Values Removed Values Added
First Time Coollabs
Coollabs coolify
CPE cpe:2.3:a:coollabs:coolify:4.0.0:beta358:*:*:*:*:*:*
References () https://github.com/coollabsio/coolify/security/advisories/GHSA-ccp8-v65g-m526 - () https://github.com/coollabsio/coolify/security/advisories/GHSA-ccp8-v65g-m526 - Exploit, Vendor Advisory
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 7.8
Summary
  • (es) Coolify es una herramienta de código abierto y autoalojable para administrar servidores, aplicaciones y bases de datos. En la versión 4.0.0-beta.358 y posiblemente versiones anteriores, al crear o actualizar un "proyecto", es posible inyectar comandos de shell arbitrarios modificando el nombre del proyecto. Si un nombre incluye caracteres sin escape, como comillas simples (`'`), se sale de la estructura de comandos prevista, lo que permite a los atacantes ejecutar comandos arbitrarios en el host sistema. Esta vulnerabilidad permite a los atacantes ejecutar comandos arbitrarios en el servidor host, lo que podría provocar un compromiso total del sistema; crear, modificar o eliminar archivos confidenciales del sistema; y escalar privilegios dependiendo de los permisos del proceso ejecutado. Los atacantes con acceso a las funciones de administración de proyectos podrían explotar esta falla para obtener control no autorizado sobre el entorno del host. La versión 4.0.0-beta.359 corrige este problema.

24 Jan 2025, 16:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-01-24 16:15

Updated : 2025-09-19 15:12

NVD link : CVE-2025-22606

Mitre link : CVE-2025-22606

CVE.ORG link : CVE-2025-22606

JSON object : View

Products Affected

coollabs

  • coolify
CWE
CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')