You’ll want to run this Docker container locally:
git clone <https://github.com/androidteacher/CVE-2025-64424-Coolify-.git>
cd CVE-2025-64424-Coolify-/lab
docker compose up --build -d
Point your web browser at the login:
<http://localhost:10005>
What is Coolify?
- Coolify provides a web-based dashboard to manage hosted services. It automates server management tasks, including SSL certificate setup, reverse proxy configuration, and Docker container management.
Simple Use Cases
- Self-Hosting: Instead of paying monthly fees to a hosting provider, a developer can use Coolify to deploy a
Next.js or WordPress site on a $5/month VPS. Coolify will automatically handle the "HTTPS" setup and update the site every time the developer pushes new code to GitHub.
- "One-Click" Services: Coolify offers a library of popular open-source software.
What is the Vulnerability?
- The vulnerability (CVE-2025-64424) is a Command Injection flaw. (RCE: Remote Code Execution.)
An "injection" occurs when an application accidentally treats data or input (such as a URL) as a command to execute. Because Coolify runs with elevated system permissions to manage Docker containers, anyone who can trigger this flaw can execute commands as the root user.
How the Attack Works (The RCE Flow)
- Login: An attacker logs into the Coolify dashboard. They only need "Member" (low-privileged) access—they don't need to be an administrator.
- Create Resource: The attacker creates a new "Application" or "Resource" that requires a Git repository.
- The Payload: Instead of a normal URL, they enter a "malicious" string into the Repository URL
- We’ll use a semi-colon
; to inject commands
- Execution: Coolify will execute whatever we drop after the semi-colon
;
The Vulnerable Source Code