CVE-2025-59156 | THREATINT

Description

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.420.7, a Remote Code Execution (RCE)*vulnerability exists in Coolify's application deployment workflow. This flaw allows a low-privileged member to inject arbitrary Docker Compose directives during project creation or updates. By defining a malicious service that mounts the host filesystem, an attacker can achieve root-level command execution on the host OS, completely bypassing container isolation. Version 4.0.0-beta.420.7 contains a patch for the issue.

PUBLISHED Reserved 2025-09-09 | Published 2026-01-05 | Updated 2026-01-05 | Assigner GitHub_M

CRITICAL: 9.4CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Problem types

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Product status

< 4.0.0-beta.420.7

affected

References

github.com/...oolify/security/advisories/GHSA-h5xw-7xvp-xrxr

cve.org (CVE-2025-59156)

nvd.nist.gov (CVE-2025-59156)

Download JSON