CVE-2025-34159 CRITICAL

CVE-2025-34159: Coolify Docker Compose Directive Injection in Application Deployment Workflow

Vendor Coollabs Technologies
Product Coolify
Weakness CWE-94 · Code injection
Published August 27, 2025
Last update May 26, 2026

CVSS base score

9.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

What the vulnerability does

01Description

Coolify versions prior to v4.0.0-beta.420.6 are vulnerable to a remote code execution vulnerability in the application deployment workflow. The platform allows authenticated users, with low-level member privileges, to inject arbitrary Docker Compose directives during project creation. By crafting a malicious service definition that mounts the host root filesystem, an attacker can gain full root access to the underlying server.

Key dates

02Disclosure timeline

August 27, 2025 CVE published
May 26, 2026 Record updated

Related vulnerabilities

04Related CVE