CVE-2025-22606

Name of the Vulnerable Software and Affected Versions Coolify versions 4.0.0-beta.358 and earlier

Description The issue allows attackers to inject arbitrary shell commands by altering the project name, potentially resulting in full system compromise, creation, modification, or deletion of sensitive system files, and privilege escalation. This can be achieved by including unescaped characters, such as single quotes (``), in the project name, which breaks out of the intended command structure. Attackers with access to project management features could exploit this flaw to gain unauthorized control over the host environment.

Recommendations For Coolify versions 4.0.0-beta.358 and earlier, update to version 4.0.0-beta.359 or later to resolve the issue. As a temporary workaround, consider restricting access to project management features to minimize the risk of exploitation. Avoid using unescaped characters, such as single quotes (``), in project names until the issue is resolved.