CVE-2025-34161 CRITICAL

CVE-2025-34161: Coolify Git Repository Field Command Injection in Project Deployment Workflow

Vendor Coollabs Technologies

Product Coolify

Weakness CWE-78

Published August 27, 2025

Last update May 26, 2026

View on NVD All CVEs

CVSS base score

9.4/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

What the vulnerability does

01Description

Coolify versions prior to v4.0.0-beta.420.7 are vulnerable to a remote code execution vulnerability in the project deployment workflow. The platform allows authenticated users, with low-level member privileges, to inject arbitrary shell commands via the Git Repository field during project creation. By submitting a crafted repository string containing command injection syntax, an attacker can execute arbitrary commands on the underlying host system, resulting in full server compromise.

Key dates

02Disclosure timeline

August 27, 2025 CVE published

May 26, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-34161 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/78.html

Related vulnerabilities

CVE-2025-34161: Coolify Git Repository Field Command Injection in Project Deployment Workflow

01Description

02Disclosure timeline

03References

04Related CVE