Coolify Command Injection Vulnerability Allowing Root Command Execution

A command injection vulnerability has been identified in Coolify, an open-source tool for managing servers, applications, and databases. This vulnerability exists in versions of Coolify through v4.0.0-beta.434, specifically within the git source input fields of a resource. It allows a low-privileged user (member) to execute system commands as root on the Coolify instance. The vulnerability arises from how user input is handled in the git source repository URL, enabling command execution on the server.

Impact

Exploitation of this vulnerability allows low-privileged users to execute arbitrary commands as root on the affected Coolify instance, potentially leading to unauthorized access or modification of system resources and data.

Reproduction

To reproduce this vulnerability, upload a project to a Coolify instance with the git source input field. After the project is deployed, the vulnerability can be exploited by injecting a command into the git source repository URL that is executed on the server. This can be done by appending a payload that includes a command, such as one that exfiltrates data to an external server, effectively executing the command with root privileges.