CVE-2025-34157

Coolify Stored Cross-Site Scripting (XSS) in Project Name Field

Description

Coolify versions prior to v4.0.0-beta.420.6 are vulnerable to a stored cross-site scripting (XSS) attack in the project creation workflow. An authenticated user with low privileges can create a project with a maliciously crafted name containing embedded JavaScript. When an administrator attempts to delete the project or its associated resource, the payload executes in the admin’s browser context. This results in full compromise of the Coolify instance, including theft of API tokens, session cookies, and access to WebSocket-based terminal sessions on managed servers.

INFO

Published Date :

2025-08-27T16:48:03.027Z

Last Modified :

2025-11-19T01:28:12.286Z

Source :

VulnCheck

AFFECTED PRODUCTS

The following products are affected by CVE-2025-34157 vulnerability.

Vendors	Products
Coollabs	Coolify

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-34157.

URL	Resource
https://coolify.io/
https://github.com/Eyodav/CVE-2025-34157
https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.420.7

CVSS Vulnerability Scoring System

V4
V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Attack Requirements

Privileges Required

User Interaction

VS Confidentiality

VS Integrity

VS Availability

SS Confidentiality

SS Integrity

SS Availability

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact