A critical command injection vulnerability has been identified in the Coolify management tool, rated 9.9 out of 10. This flaw allows a regular user to execute arbitrary commands on the server by entering malicious text into the "Git Repository" field when creating a project. Successful exploitation can lead to a complete compromise of the underlying server, including data theft, service disruption, and unauthorized access to the network.

The vulnerability is a command injection flaw within the project creation workflow. The "Git Repository" input field fails to properly sanitize user-supplied data before passing it to a system shell for execution, likely during a git clone operation. An authenticated attacker with standard user privileges can craft a malicious payload (e.g., https://github.com/user/repo.git; id) and submit it as the repository URL. The server will execute the injected command (id) with the permissions of the Coolify application process, leading to remote code execution (RCE) on the host system.

This vulnerability is of critical severity with a CVSS score of 9.9, posing a significant threat to the organization. A successful exploit grants an attacker full control over the server hosting Coolify, enabling them to steal sensitive data such as application source code, database credentials, and API keys. The attacker could also disrupt services, install persistent backdoors, use the compromised server to attack other systems within the internal network (lateral movement), or deploy ransomware. The fact that a low-privileged user can trigger this vulnerability significantly increases the risk profile.

Immediate Action: Immediately upgrade all instances of Coolify to the patched version 4.0.0-beta.420.7 or newer. After patching, it is crucial to review server and application logs for any signs of past exploitation attempts, such as unusual commands or outbound network connections originating from the Coolify process.

Proactive Monitoring: Security teams should monitor application logs for project creation events containing malformed Git repository URLs, specifically those with shell metacharacters (e.g., ;, |, &&, $(), `). Monitor system processes for unexpected child processes being spawned by the Coolify service user. Implement network monitoring to detect anomalous outbound traffic from the Coolify server to unknown destinations.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rules designed to detect and block common command injection patterns in HTTP requests to the Coolify application. Further restrict the operating system user account running the Coolify service by applying the principle of least privilege, limiting its ability to read/write files and execute system commands. Restrict all outbound network connectivity from the server except to explicitly approved endpoints.

Public Exploit Available: false

Given the critical severity (CVSS 9.9) and the risk of complete system compromise by a low-privileged user, this vulnerability represents an immediate and severe threat. We strongly recommend that all organizations using affected versions of Coolify apply the security update to version 4.0.0-beta.420.7 or later with the highest priority. Do not wait for evidence of active exploitation or for its addition to the CISA KEV catalog; the risk of compromise is too high to delay remediation.