Coolify Command Injection Vulnerability via Unsanitized Docker Compose Parameters

A command injection vulnerability has been identified in Coolify, an open-source tool for managing servers, applications, and databases. This issue affects versions prior to 4.0.0-beta.445. The vulnerability arises because parameters from the docker-compose.yaml file are not properly sanitized before being used in commands. An attacker can exploit this by creating a repository with a malicious docker-compose.yaml file. When a victim user deploys an application from this repository using the 'docker compose' build pack, the attacker can execute arbitrary commands on the Coolify instance with root privileges.

Impact

Exploitation of this vulnerability allows for arbitrary command execution as root on the affected Coolify instance.

Reproduction

To reproduce this vulnerability, create an attacker repository that includes a docker-compose.yaml file with a payload designed to exploit the command injection. This payload should be crafted to break out of the 'docker exec' command and execute arbitrary commands on the Coolify host. Once the repository is created, deploy an application from it using the Coolify interface. The injected command will be executed on the server, and any resulting data can be sent back to an external server as a proof of concept.

Remediation

Users can update to Coolify version 4.0.0-beta.445 or later, where this vulnerability has been fixed.