Ddos 
The self-hosting community is on high alert following the disclosure of three critical vulnerabilities in Coolify, the open-source platform designed to simplify application deployment. Security researchers have identified a cluster of flaws that could allow attackers to bypass authentication, execute arbitrary code as root, and steal sensitive cryptographic keys. With over 52,000 instances exposed globally—particularly in Germany and the United States—administrators are urged to patch immediately against these easily exploitable defects.
The first major vulnerability, tracked as CVE-2025-64419, turns the platform’s deployment mechanics into a weapon. This command injection flaw resides in the “docker compose build pack” parameters. Attackers can exploit this by tricking a victim into creating an application from a malicious repository. Because the system fails to properly sanitize these parameters, the attacker can inject shell commands that execute with elevated privileges. This allows them to effectively seize control of the host system through what appears to be a standard deployment process.
The second command injection flaw, CVE-2025-64424, opens a similar door but for a different class of user. This vulnerability affects the “git source input fields” found in resource configurations. Unlike the previous flaw which relied on a malicious repository, this one allows low-privileged users—specifically those with “member” access—to directly inject malicious commands into the input fields. Since these inputs are not sanitized before being executed by the system, a rogue team member or compromised account can instantly run arbitrary commands on the Coolify instance, escalating their access far beyond their intended permissions.
Perhaps the most insidious of the three is CVE-2025-64420, an information disclosure vulnerability that acts as a skeleton key for the entire server. This flaw allows low-privileged users to access the platform’s “private SSH key.” With this key in hand, an attacker no longer needs to rely on complex exploits; they can simply authenticate via SSH as a trusted user. This grants them direct, elevated access to the Coolify instance and the underlying server, bypassing standard authentication mechanisms entirely and allowing for persistent backdoor access.
The danger is compounded by the simplicity of the attacks. A video proof-of-concept supplied by GitHub reportedly demonstrates “trivial command injection,” suggesting that the technical barrier for exploiting these flaws is incredibly low. While widespread active attacks have not yet been confirmed, the sheer number of exposed hosts makes this a ticking time bomb.
Remediation Administrators are advised to upgrade their Coolify instances immediately. The flaws affect versions prior to v4.0.0-beta.445 (for the Docker Compose flaw) and v4.0.0-beta.434 (for the SSH and Git Input flaws). Prompt patching is the only effective defense against this critical trifecta.
Related Posts:
- CVSS 10 Alert: Coolify Hit by Three Critical Security Flaws – CVE-2025-22612, CVE-2025-22611, and CVE-2025-22609
- Malicious npm Packages Exploiting Typosquatting to Inject SSH Backdoors
- The Developer Win: GitHub Postpones Self-Hosted Runner Fee After Massive Community Outcry
- LNK Files and SSH Commands: The New Arsenal of Advanced Cyber Attacks
Donate