A critical command injection vulnerability in Dokploy allows authenticated users to execute arbitrary OS commands on the host by manipulating file upload paths.

The application fails to sanitize the destinationPath parameter during Docker file uploads, instead interpolating it directly into a shell command. An authenticated attacker can inject shell metacharacters (e.g., ;, ") to break out of the intended docker cp command and execute arbitrary commands on the host operating system.

With a CVSS score of 9.9, this vulnerability allows for total host compromise. An authenticated attacker can gain full control over the server hosting the Dokploy PaaS, potentially leading to unauthorized data access, service disruption, or further exploitation of the internal infrastructure.

Immediate Action: Upgrade Dokploy to the latest version immediately to resolve the improper parameter sanitization.

Proactive Monitoring: Monitor system logs for unexpected shell execution patterns or unauthorized changes to system files originating from the Dokploy service user.

Compensating Controls: Implement strict file path validation and limit the permissions of the user account running the Dokploy service to the minimum necessary to perform its functions.

Public Exploit Available: No data available.

This vulnerability represents a significant breach of isolation between the user and the host system. All organizations using Dokploy must patch immediately and audit their environments for any signs of unauthorized access or malicious command execution.