Coolify Command Injection Vulnerability Allowing Authenticated Remote Code Execution
Vulnerability
A command injection vulnerability allowing authenticated users with application or service management permissions to execute arbitrary commands as root on managed servers has been identified in Coolify versions prior to 4.0.0-beta.451. This vulnerability arises from improper input validation and sanitization of user-controlled parameters, which are directly passed to shell commands. Exploitation of this vulnerability leads to full remote code execution on the host system.
Impact
Exploitation of this vulnerability allows for arbitrary command execution as root, the escape of container restrictions, and a complete compromise of the host system.
Remediation
Users are advised to upgrade to Coolify version 4.0.0-beta.451 or later. The Coolify development team has addressed this vulnerability by implementing thorough input validation and escaping of shell arguments in all affected areas to prevent command injection.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.