Vulnerability Description
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In version 4.0.0-beta.358 and possibly earlier versions, when creating or updating a "project," it is possible to inject arbitrary shell commands by altering the project name. If a name includes unescaped characters, such as single quotes (`'`), it breaks out of the intended command structure, allowing attackers to execute arbitrary commands on the host system. This vulnerability allows attackers to execute arbitrary commands on the host server, which could result in full system compromise; create, modify, or delete sensitive system files; and escalate privileges depending on the permissions of the executed process. Attackers with access to project management features could exploit this flaw to gain unauthorized control over the host environment. Version 4.0.0-beta.359 fixes this issue.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Coollabs | Coolify | 4.0.0 |
Related Weaknesses (CWE)
References
- https://github.com/coollabsio/coolify/security/advisories/GHSA-ccp8-v65g-m526ExploitVendor Advisory
FAQ
What is CVE-2025-22606?
CVE-2025-22606 is a vulnerability with a CVSS score of 7.8 (HIGH). Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In version 4.0.0-beta.358 and possibly earlier versions, when creating or updating a "project," it i...
How severe is CVE-2025-22606?
CVE-2025-22606 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-22606?
Check the references section above for vendor advisories and patch information. Affected products include: Coollabs Coolify.