cvelistv5 - cve-2025-22606

CVE-2025-22606 (GCVE-0-2025-22606)

Vulnerability from cvelistv5 – Published: 2025-01-24 15:38 – Updated: 2025-02-12 20:01

Summary

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In version 4.0.0-beta.358 and possibly earlier versions, when creating or updating a "project," it is possible to inject arbitrary shell commands by altering the project name. If a name includes unescaped characters, such as single quotes (`'`), it breaks out of the intended command structure, allowing attackers to execute arbitrary commands on the host system. This vulnerability allows attackers to execute arbitrary commands on the host server, which could result in full system compromise; create, modify, or delete sensitive system files; and escalate privileges depending on the permissions of the executed process. Attackers with access to project management features could exploit this flaw to gain unauthorized control over the host environment. Version 4.0.0-beta.359 fixes this issue.

Severity ?

8.5 (High)


                        
                          CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P

CWE

CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Assigner

GitHub_M

References

URL

Tags

https://github.com/coollabsio/coolify/security/ad…

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	coollabsio	coolify	Affected: < 4.0.0-beta.359

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-22606",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-24T16:08:38.470593Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-12T20:01:19.366Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "coolify",
          "vendor": "coollabsio",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 4.0.0-beta.359"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In version 4.0.0-beta.358 and possibly earlier versions, when creating or updating a \"project,\" it is possible to inject arbitrary shell commands by altering the project name. If a name includes unescaped characters, such as single quotes (`\u0027`), it breaks out of the intended command structure, allowing attackers to execute arbitrary commands on the host system. This vulnerability allows attackers to execute arbitrary commands on the host server, which could result in full system compromise; create, modify, or delete sensitive system files; and escalate privileges depending on the permissions of the executed process. Attackers with access to project management features could exploit this flaw to gain unauthorized control over the host environment. Version 4.0.0-beta.359 fixes this issue."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 8.5,
            "baseSeverity": "HIGH",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-78",
              "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-01-24T15:40:44.749Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/coollabsio/coolify/security/advisories/GHSA-ccp8-v65g-m526",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-ccp8-v65g-m526"
        }
      ],
      "source": {
        "advisory": "GHSA-ccp8-v65g-m526",
        "discovery": "UNKNOWN"
      },
      "title": "Coolify Command Injection Vulnerability in Project Name"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-22606",
    "datePublished": "2025-01-24T15:38:47.352Z",
    "dateReserved": "2025-01-07T15:07:26.775Z",
    "dateUpdated": "2025-02-12T20:01:19.366Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-22606\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-01-24T16:15:38.307\",\"lastModified\":\"2025-09-19T15:12:30.707\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In version 4.0.0-beta.358 and possibly earlier versions, when creating or updating a \\\"project,\\\" it is possible to inject arbitrary shell commands by altering the project name. If a name includes unescaped characters, such as single quotes (`\u0027`), it breaks out of the intended command structure, allowing attackers to execute arbitrary commands on the host system. This vulnerability allows attackers to execute arbitrary commands on the host server, which could result in full system compromise; create, modify, or delete sensitive system files; and escalate privileges depending on the permissions of the executed process. Attackers with access to project management features could exploit this flaw to gain unauthorized control over the host environment. Version 4.0.0-beta.359 fixes this issue.\"},{\"lang\":\"es\",\"value\":\"Coolify es una herramienta de c\u00f3digo abierto y autoalojable para administrar servidores, aplicaciones y bases de datos. En la versi\u00f3n 4.0.0-beta.358 y posiblemente versiones anteriores, al crear o actualizar un \\\"proyecto\\\", es posible inyectar comandos de shell arbitrarios modificando el nombre del proyecto. Si un nombre incluye caracteres sin escape, como comillas simples (`\u0027`), se sale de la estructura de comandos prevista, lo que permite a los atacantes ejecutar comandos arbitrarios en el host sistema. Esta vulnerabilidad permite a los atacantes ejecutar comandos arbitrarios en el servidor host, lo que podr\u00eda provocar un compromiso total del sistema; crear, modificar o eliminar archivos confidenciales del sistema; y escalar privilegios dependiendo de los permisos del proceso ejecutado. Los atacantes con acceso a las funciones de administraci\u00f3n de proyectos podr\u00edan explotar esta falla para obtener control no autorizado sobre el entorno del host. La versi\u00f3n 4.0.0-beta.359 corrige este problema.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":8.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"HIGH\",\"subIntegrityImpact\":\"HIGH\",\"subAvailabilityImpact\":\"HIGH\",\"exploitMaturity\":\"PROOF_OF_CONCEPT\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-78\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:coollabs:coolify:4.0.0:beta358:*:*:*:*:*:*\",\"matchCriteriaId\":\"E851824E-3A70-4D0F-A335-29943E666461\"}]}]}],\"references\":[{\"url\":\"https://github.com/coollabsio/coolify/security/advisories/GHSA-ccp8-v65g-m526\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"title\": \"Coolify Command Injection Vulnerability in Project Name\", \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-78\", \"lang\": \"en\", \"description\": \"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\", \"type\": \"CWE\"}]}], \"metrics\": [{\"cvssV4_0\": {\"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\", \"vulnIntegrityImpact\": \"HIGH\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"HIGH\", \"subIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"HIGH\", \"baseScore\": 8.5, \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P\", \"version\": \"4.0\"}}], \"references\": [{\"name\": \"https://github.com/coollabsio/coolify/security/advisories/GHSA-ccp8-v65g-m526\", \"tags\": [\"x_refsource_CONFIRM\"], \"url\": \"https://github.com/coollabsio/coolify/security/advisories/GHSA-ccp8-v65g-m526\"}], \"affected\": [{\"vendor\": \"coollabsio\", \"product\": \"coolify\", \"versions\": [{\"version\": \"\u003c 4.0.0-beta.359\", \"status\": \"affected\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-01-24T15:40:44.749Z\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In version 4.0.0-beta.358 and possibly earlier versions, when creating or updating a \\\"project,\\\" it is possible to inject arbitrary shell commands by altering the project name. If a name includes unescaped characters, such as single quotes (`\u0027`), it breaks out of the intended command structure, allowing attackers to execute arbitrary commands on the host system. This vulnerability allows attackers to execute arbitrary commands on the host server, which could result in full system compromise; create, modify, or delete sensitive system files; and escalate privileges depending on the permissions of the executed process. Attackers with access to project management features could exploit this flaw to gain unauthorized control over the host environment. Version 4.0.0-beta.359 fixes this issue.\"}], \"source\": {\"advisory\": \"GHSA-ccp8-v65g-m526\", \"discovery\": \"UNKNOWN\"}}, \"adp\": [{\"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-22606\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-01-24T16:08:38.470593Z\"}}}], \"providerMetadata\": {\"shortName\": \"CISA-ADP\", \"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"dateUpdated\": \"2025-02-12T19:55:50.929Z\"}, \"title\": \"CISA ADP Vulnrichment\"}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-22606\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"GitHub_M\", \"dateReserved\": \"2025-01-07T15:07:26.775Z\", \"datePublished\": \"2025-01-24T15:38:47.352Z\", \"dateUpdated\": \"2025-01-24T15:40:44.749Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

FKIE_CVE-2025-22606

Vulnerability from fkie_nvd - Published: 2025-01-24 16:15 - Updated: 2025-09-19 15:12

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/coollabsio/coolify/security/advisories/GHSA-ccp8-v65g-m526	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	coollabs	coolify	4.0.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:coollabs:coolify:4.0.0:beta358:*:*:*:*:*:*",
              "matchCriteriaId": "E851824E-3A70-4D0F-A335-29943E666461",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In version 4.0.0-beta.358 and possibly earlier versions, when creating or updating a \"project,\" it is possible to inject arbitrary shell commands by altering the project name. If a name includes unescaped characters, such as single quotes (`\u0027`), it breaks out of the intended command structure, allowing attackers to execute arbitrary commands on the host system. This vulnerability allows attackers to execute arbitrary commands on the host server, which could result in full system compromise; create, modify, or delete sensitive system files; and escalate privileges depending on the permissions of the executed process. Attackers with access to project management features could exploit this flaw to gain unauthorized control over the host environment. Version 4.0.0-beta.359 fixes this issue."
    },
    {
      "lang": "es",
      "value": "Coolify es una herramienta de c\u00f3digo abierto y autoalojable para administrar servidores, aplicaciones y bases de datos. En la versi\u00f3n 4.0.0-beta.358 y posiblemente versiones anteriores, al crear o actualizar un \"proyecto\", es posible inyectar comandos de shell arbitrarios modificando el nombre del proyecto. Si un nombre incluye caracteres sin escape, como comillas simples (`\u0027`), se sale de la estructura de comandos prevista, lo que permite a los atacantes ejecutar comandos arbitrarios en el host sistema. Esta vulnerabilidad permite a los atacantes ejecutar comandos arbitrarios en el servidor host, lo que podr\u00eda provocar un compromiso total del sistema; crear, modificar o eliminar archivos confidenciales del sistema; y escalar privilegios dependiendo de los permisos del proceso ejecutado. Los atacantes con acceso a las funciones de administraci\u00f3n de proyectos podr\u00edan explotar esta falla para obtener control no autorizado sobre el entorno del host. La versi\u00f3n 4.0.0-beta.359 corrige este problema."
    }
  ],
  "id": "CVE-2025-22606",
  "lastModified": "2025-09-19T15:12:30.707",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 7.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "LOCAL",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 8.5,
          "baseSeverity": "HIGH",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "PROOF_OF_CONCEPT",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "LOW",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "HIGH",
          "subConfidentialityImpact": "HIGH",
          "subIntegrityImpact": "HIGH",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "HIGH",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-01-24T16:15:38.307",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-ccp8-v65g-m526"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-78"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

CNVD-2025-19119

Vulnerability from cnvd - Published: 2025-08-22

Title

coolLabs Coolify命令注入漏洞

Description

Coolify是一个开源和自托管的Heroku/Netlify/Vercel替代品。 coolLabs Coolify存在命令注入漏洞，该漏洞源于在创建或更新项目时更改项目名称未能正确过滤构造命令特殊字符、命令等。攻击者可利用此漏洞导致任意命令执行。

Severity

高

Patch Name

coolLabs Coolify命令注入漏洞的补丁

Patch Description

Coolify是一个开源和自托管的Heroku/Netlify/Vercel替代品。 coolLabs Coolify存在命令注入漏洞，该漏洞源于在创建或更新项目时更改项目名称未能正确过滤构造命令特殊字符、命令等。攻击者可利用此漏洞导致任意命令执行。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.389

Reference

https://github.com/coollabsio/coolify/security/advisories/GHSA-ccp8-v65g-m526

Impacted products

Name
coolLabs Coolify <=4.0.0-beta.358

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2025-22606",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2025-22606"
    }
  },
  "description": "Coolify\u662f\u4e00\u4e2a\u5f00\u6e90\u548c\u81ea\u6258\u7ba1\u7684Heroku/Netlify/Vercel\u66ff\u4ee3\u54c1\u3002\n\ncoolLabs Coolify\u5b58\u5728\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5728\u521b\u5efa\u6216\u66f4\u65b0\u9879\u76ee\u65f6\u66f4\u6539\u9879\u76ee\u540d\u79f0\u672a\u80fd\u6b63\u786e\u8fc7\u6ee4\u6784\u9020\u547d\u4ee4\u7279\u6b8a\u5b57\u7b26\u3001\u547d\u4ee4\u7b49\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u6b64\u6f0f\u6d1e\u5bfc\u81f4\u4efb\u610f\u547d\u4ee4\u6267\u884c\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.389",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2025-19119",
  "openTime": "2025-08-22",
  "patchDescription": "Coolify\u662f\u4e00\u4e2a\u5f00\u6e90\u548c\u81ea\u6258\u7ba1\u7684Heroku/Netlify/Vercel\u66ff\u4ee3\u54c1\u3002\r\n\r\ncoolLabs Coolify\u5b58\u5728\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5728\u521b\u5efa\u6216\u66f4\u65b0\u9879\u76ee\u65f6\u66f4\u6539\u9879\u76ee\u540d\u79f0\u672a\u80fd\u6b63\u786e\u8fc7\u6ee4\u6784\u9020\u547d\u4ee4\u7279\u6b8a\u5b57\u7b26\u3001\u547d\u4ee4\u7b49\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u6b64\u6f0f\u6d1e\u5bfc\u81f4\u4efb\u610f\u547d\u4ee4\u6267\u884c\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "coolLabs Coolify\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "coolLabs Coolify \u003c=4.0.0-beta.358"
  },
  "referenceLink": "https://github.com/coollabsio/coolify/security/advisories/GHSA-ccp8-v65g-m526",
  "serverity": "\u9ad8",
  "submitTime": "2025-02-06",
  "title": "coolLabs Coolify\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-22606 (GCVE-0-2025-22606)

FKIE_CVE-2025-22606

CNVD-2025-19119

Tags

Sightings

Nomenclature