📄 Coolify 4.0.0-beta.420.6 Command Injection

| Field       | Value                          |
    |-------------|--------------------------------|
    | CVE ID      | CVE-2025-34161                 |
    | Affected    | Coolify <= v4.0.0-beta.420.6   |
    | Fixed in    | v4.0.0-beta.420.7              |
    | Severity    | Critical                       |
    | CVSS 4.0    | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H|
    | CWE         | CWE-78 (OS Command Injection)  |
    
    
    ## 📝 Summary
    Coolify versions prior to and including v4.0.0-beta.420.6 are vulnerable to a critical remote code execution (RCE) flaw in the project deployment workflow. The platform allows authenticated users, with low-level privileges, to inject arbitrary shell commands via the Git Repository URL field during project creation. By submitting a crafted repository string containing command injection syntax, an attacker can execute arbitrary commands on the underlying host system, resulting in full server compromise.
    
    ## ⚡ Impact
    - Remote Code Execution (RCE)
    - Privilege escalation from low-level user to full host compromise
    - Complete loss of confidentiality, integrity, and availability
    
    ## 🛠️ Steps to Reproduce
    1. Login as a low-privileged user  
    2. Create a new project
    3. Select private GIT 
    4. Insert a malicious payload in the `Git Repository URL` field (e.g. ``[email protected]:fake/repo.git; cat /etc/passwd #;``)  
    5. Deploy the project → observe arbitrary command execution in the log 
    
    ## 🔗 References
    - [CVE Record - CVE-2025-34161](https://cve.org/CVERecord?id=CVE-2025-34161)