CVE 10 CRITICAL

Coolify has Git Repository RCE_CVE-2025-59157

January 5, 2026 invoker category_cve

10 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Description

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.420.7, the Git Repository field during project creation is vulnerable to command injection. User input is not properly sanitized, allowing attackers to inject arbitrary shell commands that execute on the underlying server during the deployment workflow. A regular member user can exploit this vulnerability. Version 4.0.0-beta.420.7 contains a patch for the issue.

AI Analysis

Command injection vulnerability in the Git Repository field during project creation, allowing attackers to inject arbitrary shell commands.

Basic Information

ID CVE-2025-59157

Source GitHub_M

Published Jan 5, 2026 at 17:41

Affected Product

Vendor coollabsio

Product coolify

Version < 4.0.0-beta.420.7

Affected Versions coollabsio coolify < 4.0.0-beta.420.7

CWE Classification

CWE-78

AI Assessment

AI Score 10 / 10

AI Severity Critical

Vendor coollabsio

Product Coolify

Version < 4.0.0-beta.420.7

References

github.com /coollabsio/coolify/security/advisories/GHSA-5cg9-38qj-8mc3

{
    "lastseen": "",
    "description": "Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.420.7, the Git Repository field during project creation is vulnerable to command injection. User input is not properly sanitized, allowing attackers to inject arbitrary shell commands that execute on the underlying server during the deployment workflow. A regular member user can exploit this vulnerability. Version 4.0.0-beta.420.7 contains a patch for the issue.",
    "published": "2026-01-05T17:41:29.557Z",
    "modified": "2026-01-05T17:41:29.557Z",
    "type": "cve",
    "title": "Coolify has Git Repository RCE",
    "source": "GitHub_M",
    "references": "https://github.com/coollabsio/coolify/security/advisories/GHSA-5cg9-38qj-8mc3",
    "id": "CVE-2025-59157",
    "bulletinFamily": "",
    "cwe": [
        "CWE-78"
    ],
    "cvelist": null,
    "sourceData": "coollabsio coolify < 4.0.0-beta.420.7",
    "sourceHref": "",
    "cvss": {
        "score": 10,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "coolify",
    "version": "< 4.0.0-beta.420.7",
    "vendor": "coollabsio",
    "ai_description": "Command injection vulnerability in the Git Repository field during project creation, allowing attackers to inject arbitrary shell commands.",
    "ai_severity": "Critical",
    "ai_vendor": "coollabsio",
    "ai_product": "Coolify",
    "ai_version": "< 4.0.0-beta.420.7",
    "ai_score": 10
}

💭 Join the Security Discussion ❌ Cancel Reply