Seven critical security vulnerabilities with the highest rating threaten Coolify
The self-hosting platform Coolify is severely vulnerable. According to security researchers, there are almost 15,000 attackable instances in Germany.
(Image: Black_Kira / Shutterstock.com)
Admins of Platform-as-a-Service environments based on Coolify should update their instances promptly. Failure to do so could allow attackers to exploit seven “critical” security vulnerabilities with the highest rating (CVSS score 10 out of 10), among other things, to fully compromise servers.
Scans by security researchers from Censys show that the majority of vulnerable systems are located in Germany. Worldwide, there are over 52,000 instances. In Germany, they found just under 14,800 systems. It is currently unclear whether attacks have already occurred. However, admins should not delay patching for too long.
Attack Vectors
Even though attackers must be authenticated in most cases, the majority of vulnerabilities are classified as “critical” in terms of threat level. If attackers successfully exploit the vulnerabilities, they can, for example, execute malicious code as a root user and thus gain full control over systems (e.g., CVE-2025-64424). In addition, access to private SSH keys that are supposed to be protected is possible (CVE-2025-64420), allowing attackers to gain unauthorized access.
Missing Security Patches
A total of 16 vulnerabilities are known. However, according to entries on GitHub (see end of this message), security updates are currently only available for eight vulnerabilities. It is currently unclear when the developers will fix the remaining vulnerabilities.
Videos by heise
These patches are currently available:
- v4.0.0-beta.420.7
- >= 4.0.0-beta.451
Admins can find further information on the vulnerable versions and security updates in the linked warning messages. List sorted by threat level in descending order:
- Authenticated Remote Code Execution via Command Injection in PostgreSQL Init Script Filename
- Git Repository RCE in Coolify
- Authenticated Remote Code Execution via Command Injection in File Storage Directory Mount Path
- Authenticated Remote Code Execution via Command Injection in Database Import
- Members can see private key of root user (no patch currently available according to entry)
- Authenticated Remote Code Execution via Command Injection in Dynamic Proxy Configuration Filename
- Authenticated Remote Code Execution via Command Injection in Database Backup
- Command injection via docker-compose.yaml parameters (no patch currently available according to entry)
- Command injection in project git source (no patch currently available according to entry)
- Docker Compose Injection in Coolify
- Stored XSS in Project Name
- Privilege escalation - Low privileged user can invite themselves as an admin user (no patch currently available according to entry)
- Host header injection in forgot password (no patch currently available according to entry)
- Privilege Escalation - low privileged users can see and use admin invitation links (no patch currently available according to entry)
- Sensitive information `email_change_code` leaked in `/api/v1/teams/{team_id | current}/members` API endpoint (no patch currently available according to entry)
- Rate-limit bypass on login via X-Forwarded-Host header (no patch currently available according to entry)
(des)
