CVE-2025-34157 is a critical stored cross-site scripting (XSS) vulnerability affecting Coolify, a product by coolLabs Technologies, in versions prior to v4.0.0-beta.420.6. The flaw exists in the project creation workflow, where an authenticated user with low privileges can create a project with a maliciously crafted name containing embedded JavaScript code. This payload is stored and later executed in the browser context of an administrator when they attempt to delete the project or its associated resources. The exploitation of this vulnerability results in full compromise of the Coolify instance. Specifically, the attacker can steal sensitive information such as API tokens and session cookies, and gain unauthorized access to WebSocket-based terminal sessions on managed servers. This level of access allows attackers to execute arbitrary commands on servers managed through Coolify, potentially leading to complete system takeover. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation, i.e., XSS) and CWE-20 (Improper Input Validation). The CVSS v4.0 score is 9.4 (critical), reflecting the network attack vector, low attack complexity, no required authentication beyond low privilege, and high impact on confidentiality, integrity, and availability. No known exploits are currently reported in the wild, but the severity and ease of exploitation make this a significant threat to any organization using vulnerable Coolify versions.

For European organizations using Coolify to manage their infrastructure, this vulnerability poses a severe risk. The ability for a low-privileged user to escalate privileges and compromise administrative sessions can lead to unauthorized access to critical infrastructure components. This can result in data breaches involving sensitive corporate information, disruption of services due to compromised server control, and potential lateral movement within the network. The theft of API tokens and session cookies can facilitate persistent access and further exploitation. Given that Coolify manages WebSocket-based terminal sessions, attackers could execute arbitrary commands on production servers, leading to data loss, service outages, or deployment of malware/ransomware. The impact is particularly critical for organizations in sectors with strict regulatory requirements such as finance, healthcare, and critical infrastructure, where data confidentiality and service availability are paramount. Additionally, the attack vector requires only low privilege and user interaction limited to project creation, increasing the likelihood of exploitation in environments with multiple users or contractors.

1. Immediate upgrade to Coolify version 4.0.0-beta.420.6 or later, where this vulnerability is fixed, is the most effective mitigation. 2. Implement strict input validation and sanitization on project names and other user-supplied inputs to prevent injection of executable scripts. 3. Restrict project creation permissions to trusted users only, reducing the risk of malicious project names being introduced by low-privileged users. 4. Employ Content Security Policy (CSP) headers to limit the execution of inline scripts and reduce the impact of XSS vulnerabilities. 5. Monitor administrative actions and audit logs for suspicious activity, especially project deletions and resource management operations. 6. Use multi-factor authentication (MFA) for administrative accounts to reduce the risk of session hijacking. 7. Isolate Coolify management interfaces behind VPNs or internal networks to limit exposure to untrusted users. 8. Conduct regular security assessments and penetration testing focused on web application vulnerabilities to detect similar issues proactively.