CVE-2025-64419
HIGH WAF: High
CVSS 8.8
Published: 2026-01-05
CWE-77
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.445, parameters coming from docker-compose.yaml are not sanitized when used in commands. If a victim user creates an application from an attacker repository (using build pack "docker compose"), the attacker can execute commands on the Coolify instance as root. Version 4.0.0-beta.445 fixes the issue.
WAF Coverage Analysis
Command Injection
High WAF Coverage
OWASP: A03:2021 Injection
932xxx - Remote Code Execution
Affected Software
| Vendor | Product | Version |
|---|---|---|
| coollabs | coolify | up to 4.0.0 |
| coollabs | coolify | 4.0.0 |
| coollabs | coolify | 4.0.0 |
| coollabs | coolify | 4.0.0 |
| coollabs | coolify | 4.0.0 |
| coollabs | coolify | 4.0.0 |
| coollabs | coolify | 4.0.0 |
| coollabs | coolify | 4.0.0 |
| coollabs | coolify | 4.0.0 |
| coollabs | coolify | 4.0.0 |
References
- github.com (Patch)
- github.com (Exploit, Vendor Advisory)