Coolify Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Coolify, an open-source tool for managing servers, applications, and databases. This issue affects Coolify versions prior to and including v4.0.0-beta.420.6. The vulnerability arises in the project creation workflow, where an authenticated user with low privileges, such as a member role, can create a project with a name containing embedded JavaScript. When an administrator later tries to delete the project or its related resource, the malicious script executes automatically in the admin's browser context.

Impact

Exploitation of this vulnerability leads to a full compromise of the Coolify instance. This includes theft of API tokens and session cookies, unauthorized access to WebSocket-based terminal sessions on managed servers, and misuse of project management features with administrator privileges. Additionally, there is potential for persistence and privilege escalation when combined with other vulnerabilities.

Reproduction

To reproduce this vulnerability, log in with a regular account that has low privileges. Create a new project and give it a name that includes a JavaScript payload, such as a details tag with an 'ontoggle' attribute. After the project is created, add a resource to it, such as a GitLab repository or a Docker image. When an administrator attempts to delete the project, the embedded JavaScript will execute in their browser.

Remediation

Users are advised to upgrade to Coolify v4.0.0-beta.420.7 or later. It is also recommended to sanitize and HTML-encode all user-supplied input, particularly project names, and to restrict the use of special characters in project metadata. Applying Content Security Policy headers can help reduce the impact of XSS vulnerabilities.