CVE-2025-34161 is a critical OS command injection vulnerability affecting Coolify, an open-source platform by coolLabs Technologies used for project deployment workflows. The flaw exists in versions prior to v4.0.0-beta.420.7, where the Git Repository input field fails to properly sanitize user-supplied data. Authenticated users with minimal privileges (low-level members) can submit specially crafted repository strings containing shell command injection syntax. This input is passed unsanitized to the underlying operating system shell, enabling arbitrary command execution on the host server. The vulnerability arises due to improper neutralization of special elements in OS commands (CWE-78) and insufficient input validation (CWE-20). Exploitation does not require elevated privileges beyond low-level membership and does not require user interaction, making it highly exploitable remotely. The impact includes full server compromise, allowing attackers to execute arbitrary code, access sensitive data, disrupt services, or pivot within the network. The CVSS 4.0 score of 9.4 reflects the criticality, with attack vector being network-based, low attack complexity, no privileges required beyond low-level membership, and no user interaction needed. Although no exploits have been reported in the wild yet, the vulnerability poses a significant risk to organizations relying on Coolify for deployment automation. The lack of available patches at the time of reporting necessitates immediate mitigation efforts.

For European organizations, this vulnerability presents a severe risk to the confidentiality, integrity, and availability of critical deployment infrastructure. Organizations using Coolify for continuous integration and deployment could face full server compromise, leading to data breaches, unauthorized access to internal systems, and potential disruption of business operations. Attackers could leverage this flaw to implant malware, exfiltrate sensitive information, or disrupt cloud-native applications and services. Given the increasing adoption of DevOps and cloud automation tools in Europe, exploitation could have cascading effects on supply chains and customer-facing services. The ability for low-privilege users to execute arbitrary commands increases insider threat risks and the potential for external attackers to escalate privileges after initial access. The absence of known exploits currently provides a window for proactive defense, but the critical severity demands urgent attention to prevent future attacks.

1. Immediately upgrade Coolify to version 4.0.0-beta.420.7 or later once available to apply the official patch addressing this vulnerability. 2. Until patching is possible, restrict access to the project creation functionality to trusted users only, minimizing the number of low-level members who can submit repository URLs. 3. Implement strict input validation and sanitization on the Git Repository field at the application and network layers to detect and block command injection patterns. 4. Employ Web Application Firewalls (WAFs) with custom rules targeting suspicious shell command injection payloads in HTTP requests. 5. Monitor logs for unusual command execution patterns or unexpected repository strings indicative of exploitation attempts. 6. Enforce the principle of least privilege on deployment servers and isolate Coolify instances within segmented network zones to limit lateral movement. 7. Conduct regular security audits and penetration tests focusing on deployment automation tools. 8. Educate developers and DevOps teams about the risks of command injection and secure coding practices related to user input handling.