Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
Warning: Critical Coolify Vulnerabilities, Patch Immediately!
Image
Published : 07/01/2026
- Last update: 07/01/2026
- Affected software:
→ Coolify- Type:
→ CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
→ CWE-522: Insufficiently Protected Credentials- CVE/CVSS
→ CVE-2025-64424: CVSS 9.4 (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H)
→ CVE-2025-64420: CVSS 9.9 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
→ CVE-2025-64419: CVSS 9.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)
Sources
CVE-2025-64424: https://github.com/coollabsio/coolify/security/advisories/GHSA-qx24-jhwj-8w6x
CVE-2025-64420: https://github.com/coollabsio/coolify/security/advisories/GHSA-qwxj-qch7-whpc
CVE-2025-64419: https://github.com/coollabsio/coolify/security/advisories/GHSA-234r-xrrg-m8f3
Risks
Several critical security vulnerabilities have been identified in Coolify, an open-source platform used to manage servers, applications, and databases. Successful exploitation of these vulnerabilities could give attackers full control over affected servers.
The vulnerabilities allow attackers or low-privileged users to:
• Execute commands as the root user
• Gain direct server access using exposed root SSH credentials
• Fully compromise hosted applications and data
If exploited, these vulnerabilities could lead to data breaches, service outages, reputational damage, using the system for further attacks, such as ransomware or lateral movement within the organization.
Organisations using Coolify should urgently identify affected instances and take immediate action by upgrading where possible and applying temporary mitigations until all issues are fully resolved.
Description
CVE-2025-64424: Coolify – Command Injection (Critical)
A command injection vulnerability exists in the Git source input fields of a resource. A low-privileged user can inject specially crafted input that is executed as a system command. These commands are executed with root privileges on the Coolify instance. An attacker could leverage this to install malware, create new privileged users, exfiltrate data, or pivot further into the network.
At the time of publication, it is unclear whether a patch is available, increasing the urgency of applying compensating controls.
CVE-2025-64420: Coolify – Information Disclosure of Root SSH Key (Critical)
Low-privileged users can view the private SSH key of the root user on the Coolify instance.
Access to this private key allows an attacker to authenticate directly to the server via SSH as the root user, completely bypassing application-level access controls. Once logged in, the attacker has unrestricted access to the system and all hosted workloads.
This vulnerability represents a complete breakdown of credential protection. As of publication, no confirmed patch information is available, and exposed keys should be considered fully compromised.
CVE-2025-64419: Coolify – Command Injection via Docker Compose (Critical, Fixed)
In Coolify versions prior to v4.0.0-beta.445, parameters from docker-compose.yaml files are not properly sanitised when used in system commands.
If a user deploys an application from a malicious or compromised repository using the Docker Compose build pack, an attacker can embed malicious commands in the configuration. These commands are then executed as root on the Coolify instance.
This vulnerability requires some user interaction (deploying an attacker-controlled repository), but exploitation can result in full system compromise. The issue has been fixed in version 4.0.0-beta.445.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable instances with the highest priority after thorough testing.
Upgrade to Coolify v4.0.0-beta.445 or later to remediate CVE-2025-64419.
Closely monitor the Coolify GitHub repository and security advisories for patch announcements for CVE-2025-64424 and CVE-2025-64420.
Implement temporary mitigations
• Restrict external and untrusted access to Coolify, especially for low-privileged users.
• Limit who can add Git repositories or deploy Docker Compose-based applications.
• Consider isolating Coolify instances from critical internal systems until fully patched.
• If CVE-2025-64420 may have been exploitable, rotate all SSH keys, credentials, and secrets associated with the affected server.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://ccb.belgium.be/report-incident.
While patching appliances or software to the newest version or implementing specific mitigations may protect against future exploitation, it does not remediate historic compromise.
References
Cyber Press: https://cyberpress.org/coolify-self-hosting-platform-vulnerabilities/