CVE-2025-64419 PUBLISHED

Coolify vulnerable to command injection via docker-compose.yaml parameters

Assigner: GitHub_M
Reserved: 03.11.2025 Published: 05.01.2026 Updated: 05.01.2026

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.445, parameters coming from docker-compose.yaml are not sanitized when used in commands. If a victim user creates an application from an attacker repository (using build pack "docker compose"), the attacker can execute commands on the Coolify instance as root. Version 4.0.0-beta.445 fixes the issue.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CVSS Score: 9.7

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	Required	Availability Impact	High

CVSS 3.1

Product Status

Vendor	coollabsio
Product	coolify
Versions	Version < 4.0.0-beta.445 is affected

References

Problem Types

CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE