Dokploy Unauthenticated Preview Deployment Vulnerability Allowing Remote Code Execution

A vulnerability in Dokploy prior to version 0.24.3 allows unauthenticated users to execute arbitrary code and access sensitive environment variables through preview deployments on public repositories. This issue arises because Dokploy automatically deploys code from pull requests, which can include malicious payloads that leak environment variables. The vulnerability exposes secrets and potentially enables remote code execution, putting all public Dokploy users at risk.

Impact

Exploitation of this vulnerability allows for remote code execution on the Dokploy server, with access to sensitive environment variables from the deployed application.

Reproduction

To reproduce this vulnerability, create a public GitHub repository and connect it to Dokploy with preview deployments enabled. Add environment variables, such as fake API keys, to the preview deployment configuration. Then, fork the repository from another GitHub account and open a pull request with code that exposes environment variables, such as a Next.js API route returning process.env. Once Dokploy automatically deploys the pull request, it will comment with a public link to the deployment, which can be visited to view the exposed environment variables.

Remediation

Users can update to Dokploy version 0.24.3 or later, where this vulnerability has been fixed.