CVE-2025-34157 is a stored cross-site scripting (XSS) vulnerability affecting Coolify, an open-source platform by coolLabs Technologies used for managing and deploying applications. The flaw exists in versions prior to v4.0.0-beta.420.6 within the project creation workflow. Specifically, an authenticated user with low privileges can create a project with a maliciously crafted name containing embedded JavaScript code. This malicious payload is stored persistently in the system. When an administrator attempts to delete the project or its associated resources, the stored script executes in the administrator’s browser context. This execution context allows the attacker to fully compromise the Coolify instance by stealing sensitive data such as API tokens and session cookies, and gaining unauthorized access to WebSocket-based terminal sessions on the managed servers. The vulnerability arises from improper neutralization of input during web page generation (CWE-79), allowing injection of executable scripts. The attack requires no elevated privileges for the attacker beyond basic authenticated access, and no additional user interaction beyond the admin’s normal workflow. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H) indicates network attack vector, low attack complexity, no attacker privileges required beyond low-level authentication, and high impact on confidentiality, integrity, and availability. Although no known exploits have been observed in the wild, the critical severity demands immediate attention. The vulnerability can lead to complete takeover of the Coolify management environment and potentially the underlying infrastructure it controls.

For European organizations using Coolify, this vulnerability poses a significant risk of full system compromise. The ability for a low-privilege user to execute arbitrary JavaScript in an administrator’s browser can lead to theft of sensitive credentials, unauthorized access to backend servers, and potential lateral movement within the network. This can result in data breaches, service disruption, and loss of control over critical deployment infrastructure. Given Coolify’s role in managing application deployments and server terminals, exploitation could impact availability and integrity of business-critical services. Organizations in sectors with strict data protection regulations, such as finance, healthcare, and government, face heightened compliance risks and potential legal consequences. The vulnerability’s network-exploitable nature means remote attackers within the organization or with compromised low-level accounts can leverage it without physical access. The lack of known exploits in the wild provides a window for proactive mitigation, but the critical CVSS score underscores the urgency.

1. Upgrade Coolify to version v4.0.0-beta.420.6 or later where the vulnerability is patched. 2. Implement strict input validation and sanitization on all user-supplied data, especially project names, to prevent injection of executable scripts. 3. Restrict project creation permissions to trusted users only, minimizing exposure to malicious input. 4. Harden administrator workflows by employing browser security features such as Content Security Policy (CSP) to limit script execution scope. 5. Use multi-factor authentication and session management best practices to reduce risk from stolen tokens or cookies. 6. Monitor administrative actions and logs for unusual activity indicative of exploitation attempts. 7. Isolate Coolify management interfaces within secure network segments and restrict access to trusted IP ranges. 8. Educate administrators about the risk of interacting with untrusted projects and encourage cautious handling of project deletions or resource management. 9. Regularly audit and update dependencies and third-party components to reduce attack surface. 10. Consider deploying web application firewalls (WAFs) with custom rules to detect and block malicious payloads targeting this vulnerability.