← Volver a CVEs
CVE-2025-34161
HIGH8.8
Descripcion
Coolify versions prior to v4.0.0-beta.420.7 are vulnerable to a remote code execution vulnerability in the project deployment workflow. The platform allows authenticated users, with low-level member privileges, to inject arbitrary shell commands via the Git Repository field during project creation. By submitting a crafted repository string containing command injection syntax, an attacker can execute arbitrary commands on the underlying host system, resulting in full server compromise.
Detalles CVE
Puntuacion CVSS v3.18.8
SeveridadHIGH
Vector CVSSCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Vector de ataqueNETWORK
ComplejidadLOW
Privilegios requeridosLOW
Interaccion usuarioNONE
Publicado8/27/2025
Ultima modificacion9/19/2025
Fuentenvd
Avistamientos honeypot0
Productos afectados
coollabs:coolify
Debilidades (CWE)
CWE-20CWE-78CWE-78
Referencias
https://coolify.io/(disclosure@vulncheck.com)
https://github.com/Eyodav/CVE-2025-34161(disclosure@vulncheck.com)
https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.420.7(disclosure@vulncheck.com)
Correlaciones IOC
Sin correlaciones registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.