CVE-2025-34159

UNKNOWN 0.0

Coolify Docker Compose Directive Injection in Application Deployment Workflow

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Coolify versions prior to v4.0.0-beta.420.6 are vulnerable to a remote code execution vulnerability in the application deployment workflow. The platform allows authenticated users, with low-level member privileges, to inject arbitrary Docker Compose directives during project creation. By crafting a malicious service definition that mounts the host root filesystem, an attacker can gain full root access to the underlying server.

CWE	CWE-94 CWE-20
Vendor	coollabs technologies
Product	coolify
Published	Aug 27, 2025
Last Updated	May 14, 2026

Stay Ahead of the Next One

Get instant alerts for coollabs technologies coolify

Be the first to know when new unknown vulnerabilities affecting coollabs technologies coolify are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

coolLabs Technologies / Coolify

* < 4.0.0.-beta.420.7

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.420.7 coolify.io: https://coolify.io/ github.com: https://github.com/Eyodav/CVE-2025-34159

Credits

Mike G.A (Eyodav)