Unrated severityNVD Advisory· Published Aug 27, 2025· Updated Nov 19, 2025
Coolify Docker Compose Directive Injection in Application Deployment Workflow
CVE-2025-34159
Description
Coolify versions prior to v4.0.0-beta.420.6 are vulnerable to a remote code execution vulnerability in the application deployment workflow. The platform allows authenticated users, with low-level member privileges, to inject arbitrary Docker Compose directives during project creation. By crafting a malicious service definition that mounts the host root filesystem, an attacker can gain full root access to the underlying server.
Affected products
2- Range: <4.0.0-beta.420.6
- coolLabs Technologies/Coolifyv5Range: *
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.420.7mitrevendor-advisorypatch
- coolify.iomitreproduct
News mentions
0No linked articles in our index yet.