CVE-2025-34159 is a remote code execution vulnerability affecting Coolify, an open-source application deployment platform by coolLabs Technologies. The flaw exists in versions prior to v4.0.0-beta.420.6 and arises from improper control over code generation (CWE-94) and insufficient input validation (CWE-20) in the deployment workflow. Specifically, authenticated users with low-level member privileges can inject arbitrary Docker Compose directives during project creation. This injection allows an attacker to define a malicious service that mounts the host's root filesystem into the container environment. By doing so, the attacker can bypass container isolation and escalate privileges to gain full root access on the underlying host server. The vulnerability requires no user interaction and no elevated privileges beyond low-level membership, significantly lowering the bar for exploitation. The CVSS 4.0 base score is 9.4 (critical), reflecting network attack vector, low attack complexity, no authentication needed beyond low privileges, and high impact on confidentiality, integrity, and availability. Although no known exploits have been reported in the wild, the vulnerability poses a severe risk to any Coolify deployment, especially in multi-tenant or shared environments where low-level users exist. The lack of available patches at the time of disclosure necessitates immediate risk mitigation through configuration changes or access restrictions.

For European organizations, the impact of this vulnerability is substantial. Coolify is used to streamline application deployment, often in cloud or hybrid environments. Exploitation can lead to full root compromise of deployment servers, resulting in complete loss of confidentiality, integrity, and availability of hosted applications and data. Attackers could deploy malicious containers, exfiltrate sensitive data, disrupt services, or pivot to other internal systems. Organizations in sectors with stringent data protection regulations, such as finance, healthcare, and government, face heightened risks including regulatory penalties and reputational damage. The ease of exploitation by low-privilege authenticated users increases the threat from insider attackers or compromised accounts. Additionally, the vulnerability could be leveraged in supply chain attacks if Coolify is used to deploy software to multiple downstream environments. Given the criticality and potential for widespread impact, European entities using Coolify must prioritize remediation to maintain operational security and compliance.

1. Upgrade Coolify to version v4.0.0-beta.420.6 or later as soon as a patch is available to eliminate the vulnerability. 2. Until patches are released, restrict project creation and deployment permissions to trusted users only, removing low-level member privileges from untrusted accounts. 3. Implement strict input validation and sanitization on Docker Compose directives if customization is necessary, to prevent arbitrary code injection. 4. Employ network segmentation and host-based access controls to limit the impact of a compromised deployment server. 5. Monitor deployment workflows and container configurations for suspicious service definitions that attempt to mount host filesystems. 6. Use container runtime security tools to detect and block privilege escalation attempts. 7. Conduct regular audits of user privileges and deployment activities to identify and respond to anomalous behavior promptly. 8. Educate developers and DevOps teams about the risks of code injection in deployment pipelines and enforce secure coding and deployment practices.