Coolify Command Injection Vulnerability Allowing Arbitrary Code Execution

A command injection vulnerability has been identified in Coolify, an open-source tool for managing servers, applications, and databases. This vulnerability exists in versions 4.0.0-beta.18 prior to 4.0.0-beta.253. It allows authenticated users to execute arbitrary code on the local Coolify container via SSH command injection. Exploitation of this vulnerability could lead to unauthorized access to sensitive data, including private keys and tokens of other users or teams. Additionally, it could allow attackers to modify the behavior of the application or its deployed services.

Impact

Exploitation of this vulnerability allows authenticated users to execute arbitrary commands on the Coolify container, with potential access to sensitive data and private keys of other users or teams. It also poses a risk to the availability and integrity of the application, as it could be used to disrupt services or modify application behavior.

Reproduction

The vulnerability can be reproduced by injecting a command that includes the SSH delimiter into the 'remote_process' function, which executes commands on remote servers via SSH. This can be done by exploiting the feature that allows custom commands for database imports or by using the command execution feature in application containers. Once the command is executed, the injected command can exfiltrate data, such as server IPs and private keys, through a crafted payload that bypasses the application's input sanitization.

Remediation

Users can update to Coolify version 4.0.0-beta.253 or later to address this vulnerability.