Coolify Command Injection Vulnerability Leading to Remote Code Execution

A command injection vulnerability allowing remote code execution has been identified in Coolify versions prior to 4.0.0-beta.420.7. The issue arises in the Git Repository field during project creation, where user input is not properly sanitized. This lack of validation enables attackers to inject arbitrary shell commands that are executed on the underlying server during the deployment workflow. The vulnerability can be exploited by regular member users.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the victim's server, leading to full system compromise. It enables attackers to read, create, modify, or delete sensitive system files, with the potential for privilege escalation depending on the execution context.

Reproduction

To reproduce this vulnerability, create a new project in Coolify version 4.0.0-beta.420.6 or earlier. In the Git Repository field, enter a payload that includes a command injection, such as a Git repository URL followed by a semicolon and a command (e.g., 'cat /etc/passwd'). Once the project is deployed, the injected command will be executed on the server, demonstrating the command injection vulnerability.

Remediation

Users can upgrade to Coolify version 4.0.0-beta.420.7 or later, where this vulnerability has been patched.