CVE-2025-34161

UNKNOWN 0.0

Coolify Git Repository Field Command Injection in Project Deployment Workflow

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Coolify versions prior to v4.0.0-beta.420.7 are vulnerable to a remote code execution vulnerability in the project deployment workflow. The platform allows authenticated users, with low-level member privileges, to inject arbitrary shell commands via the Git Repository field during project creation. By submitting a crafted repository string containing command injection syntax, an attacker can execute arbitrary commands on the underlying host system, resulting in full server compromise.

CWE	CWE-78 CWE-20
Vendor	coollabs technologies
Product	coolify
Published	Aug 27, 2025
Last Updated	May 14, 2026

Stay Ahead of the Next One

Get instant alerts for coollabs technologies coolify

Be the first to know when new unknown vulnerabilities affecting coollabs technologies coolify are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

coolLabs Technologies / Coolify

* < 4.0.0.-beta.420.7

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.420.7 coolify.io: https://coolify.io/ github.com: https://github.com/Eyodav/CVE-2025-34161

Credits

Mike G.A (Eyodav)