CVE-2025-59156 is a critical OS command injection vulnerability identified in Coolify, an open-source, self-hostable platform for managing servers, applications, and databases. The flaw exists in versions prior to 4.0.0-beta.420.7 within the application deployment workflow. Specifically, it allows a low-privileged user to inject arbitrary Docker Compose directives when creating or updating projects. By crafting a malicious service definition that mounts the host filesystem, an attacker can escape container isolation and execute commands with root privileges on the host operating system. This occurs because the application fails to properly sanitize or neutralize special elements in the Docker Compose input, leading to command injection (CWE-78). The vulnerability is remotely exploitable without user interaction or authentication beyond low-privileged membership, making it highly accessible. The CVSS 4.0 vector (AV:N/AC:L/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H) reflects network attack vector, low complexity, no user interaction, and high impact on confidentiality, integrity, and availability. Although no public exploits are reported yet, the potential for full host compromise is significant. The issue is patched in version 4.0.0-beta.420.7, which properly sanitizes inputs and restricts Docker Compose directive injection.

For European organizations, this vulnerability poses a severe risk, especially those deploying Coolify in multi-tenant or collaborative environments. An attacker with low privileges can escalate to full root access on the host, compromising all hosted applications, data, and infrastructure. This could lead to data breaches, service disruption, lateral movement within networks, and potential deployment of ransomware or other malware. Organizations relying on Coolify for critical infrastructure management may face operational downtime and reputational damage. Given the high severity and ease of exploitation, the threat is particularly acute for sectors with stringent data protection requirements such as finance, healthcare, and government. The ability to bypass container isolation undermines a key security boundary, increasing the attack surface and complicating incident response.

1. Immediately upgrade all Coolify instances to version 4.0.0-beta.420.7 or later to apply the official patch. 2. Restrict project creation and update permissions to trusted, high-privileged users only, minimizing the risk of malicious Docker Compose injection. 3. Implement strict input validation and sanitization on any user-supplied configuration data related to Docker Compose files. 4. Monitor Docker Compose configurations and deployment workflows for unauthorized or suspicious changes using file integrity monitoring and audit logging. 5. Employ container runtime security tools that can detect and prevent host filesystem mounts or privilege escalations. 6. Conduct regular security assessments and penetration tests focusing on container escape vectors. 7. Isolate Coolify management interfaces behind strong network controls and multi-factor authentication to reduce exposure. 8. Educate administrators and developers about the risks of improper configuration and the importance of applying security patches promptly.