Stored XSS in Coolify Delete Flow (CVE-2025-34157)

#

Vulnerability Overview

#

Summary

#

A stored XSS in the project delete flow allows execution of attacker-controlled JavaScript in an administrator’s browser when the admin attempts to delete a project created by a low-privileged user. This can lead to takeover of the Coolify instance (cookies, API tokens, WebSocket/terminal actions).

Impact

#

• Attack Vector: Remote (any authenticated user, incl. member)
• Privileges Required: Low
• User Interaction: Admin interaction (delete action)
• Impact: Account/session takeover, project/resource/terminal access

Affected Versions

#

All versions prior to and including v4.0.0-beta.420.6.

Proof of Concept

#

Summary

#

A stored XSS vulnerability exists in Coolify ≤ v4.0.0-beta.420.6.

• A low-privileged user can create a project with a malicious name.
• When an administrator attempts to delete the project, attacker-controlled JavaScript is executed in the admin’s browser.

This enables session hijacking, token theft, and full compromise of the Coolify instance.

Steps to Exploit

#

1. Log in with a regular (non-admin) user account.
2. Create a new project with the following malicious name:

   <details x=xxxxxxxxxxxxxxxxxx:2 open ontoggle="prompt('PoC');">

3. Inside this project, add any resource (e.g., GitLab, Docker image, etc.).
4. When an administrator tries to delete the project, the payload is automatically executed.

Impact

#

The malicious JavaScript runs in the administrator’s browser context, allowing the attacker to:

• Steal session cookies
• Exfiltrate API tokens / XSRF token
• Intercept and manipulate WebSocket communication
• Gain terminal access to connected servers

This vulnerability can be chained with other features to:

• Escalate privileges
• Manipulate projects/resources
• Maintain persistent access across the Coolify instance