Coolify Command Injection Vulnerability in PostgreSQL Init Script Filenames Allowing Authenticated Remote Code Execution

A command injection vulnerability has been identified in Coolify, an open-source tool for managing servers, applications, and databases. This vulnerability exists in versions prior to 4.0.0-beta.451 and allows authenticated users with application or service management permissions to execute arbitrary commands as root on managed servers. The issue arises because PostgreSQL initialization script filenames are passed to shell commands without proper validation, enabling full remote code execution. The vulnerability is part of a larger set of command injection vulnerabilities in Coolify that have been patched in version 4.0.0-beta.451.

Impact

Exploitation of this vulnerability allows for arbitrary command execution as root, the escape of container boundaries, and a complete compromise of the host system.

Remediation

Users are advised to upgrade to Coolify version 4.0.0-beta.451 or later. The Coolify development team has implemented input validation and shell argument escaping in all affected areas to prevent command injection.