A critical remote code execution vulnerability exists in the Coolify management tool. An attacker can gain complete control of the server running Coolify by tricking a user into deploying an application from a malicious code repository. Successful exploitation allows the attacker to execute commands as the root user, leading to a full system compromise.

The vulnerability is a command injection flaw due to improper sanitization of input from docker-compose.yaml files. When a user configures Coolify to build an application from a Git repository using the "docker compose" build pack, Coolify parses the docker-compose.yaml file and uses parameters from it to construct system commands. An attacker can craft a malicious docker-compose.yaml file with specially designed parameters that break out of the intended command and inject arbitrary new commands, which are then executed on the Coolify host with root privileges.

This vulnerability is rated as critical severity with a CVSS score of 9.6, posing a severe risk to the organization. A successful exploit grants an attacker full administrative (root) access to the server hosting Coolify. This can lead to the theft or destruction of all data on the server, including application source code, databases, and sensitive credentials. Furthermore, the compromised server can be used as a pivot point to launch further attacks against the internal network, disrupt critical services managed by Coolify, or be used in botnets for malicious activities.

Immediate Action: Immediately upgrade all instances of Coolify to version 4.0.0-beta.445 or a later version, which contains the fix for this vulnerability. After patching, carefully review system and application access logs for any signs of compromise, such as unusual commands being executed or deployments from untrusted repositories.

Proactive Monitoring: Implement enhanced logging and monitoring on the Coolify host. Specifically, monitor for suspicious child processes spawned by the Coolify service, unexpected outbound network connections, and review Coolify's own deployment logs for any applications created from unfamiliar or suspicious source code repositories.

Compensating Controls: If immediate patching is not feasible, implement strict access controls to limit which users can deploy new applications. Enforce a policy that only allows deployments from vetted, internal code repositories. Additionally, consider running the Coolify instance behind a firewall with strict egress filtering rules to block potential command-and-control (C2) communication from a compromised host.

Public Exploit Available: false

Given the critical severity (CVSS 9.6) and the potential for complete system compromise, we strongly recommend that organizations prioritize patching this vulnerability immediately. All instances of Coolify should be upgraded to version 4.0.0-beta.445 or newer without delay. Due to the high risk of root-level remote code execution, this vulnerability should be treated as an imminent threat, even in the absence of current public exploits or its inclusion in the CISA KEV catalog.