Description

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.420.7, a Remote Code Execution (RCE)*vulnerability exists in Coolify's application deployment workflow. This flaw allows a low-privileged member to inject arbitrary Docker Compose directives during project creation or updates. By defining a malicious service that mounts the host filesystem, an attacker can achieve root-level command execution on the host OS, completely bypassing container isolation. Version 4.0.0-beta.420.7 contains a patch for the issue.

INFO

Published Date :

2026-01-05T17:39:42.702Z

Last Modified :

2026-01-05T19:53:41.559Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-59156 vulnerability.

Vendors Products
Coollabs
  • Coolify
Coollabsio
  • Coolify
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-59156.

URL Resource
https://github.com/coollabsio/coolify/security/advisories/GHSA-h5xw-7xvp-xrxr cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact