Coolify Remote Code Execution Vulnerability via Docker Compose Injection

A critical remote code execution vulnerability has been identified in Coolify versions through v4.0.0-beta.420.6. This issue arises in the application deployment workflow, where user-supplied Docker Compose configurations are processed without adequate validation or sandboxing. Low-privileged users can inject arbitrary Docker Compose directives, potentially leading to root-level command execution on the host operating system and bypassing container isolation. Exploitation involves creating a malicious service that mounts the host filesystem, allowing attackers to execute commands with elevated privileges.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the host system with root privileges, leading to complete host compromise. This includes the ability to read and write system files, establish persistence, and perform lateral movement. Additionally, it could result in a multi-tenant security breach, compromising other users and teams on the same instance.

Reproduction

To reproduce this vulnerability, authenticate as a low-privileged member user and create or edit a project in Coolify. During the project deployment, inject a malicious Docker Compose configuration that mounts the host filesystem and executes commands. After deploying the project, verify the exploitation by checking for the presence of a proof file on the host or reviewing the command output in the deployment logs.

Remediation

Users are advised to upgrade to Coolify version v4.0.0-beta.420.7 or later. It is also recommended to review existing projects for potentially malicious Docker Compose configurations.