Coolify Command Injection Vulnerability in Project Management

A command injection vulnerability has been identified in Coolify version 4.0.0-beta.358 and possibly earlier. This issue arises when creating or updating a project, as unescaped characters in the project name can disrupt the command structure and allow the execution of arbitrary shell commands on the host system. Exploitation of this vulnerability could lead to full system compromise, unauthorized modification or deletion of sensitive files, and privilege escalation, depending on the permissions of the executed commands.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the host server, potentially leading to full system compromise. It also enables the creation, modification, or deletion of sensitive system files, with the possibility of escalating privileges based on the permissions of the executed processes.

Reproduction

To reproduce this vulnerability, create or edit a project in Coolify. Change the project name to include unescaped characters, such as a single quote, to break out of the intended command structure. Deploy the project and observe that the injected command is executed during the deployment process.

Remediation

Users can upgrade to Coolify version 4.0.0-beta.359, which addresses this vulnerability.