CVE-2025-34157

Coolify versions prior to v4.0.0-beta.420.6 are vulnerable to a stored cross-site scripting (XSS) attack in the project creation workflow. An authenticated user with low privileges can create a project with a maliciously crafted name containing embedded JavaScript. When an administrator attempts to delete the project or its associated resource, the payload executes in the admin’s browser context. This results in full compromise of the Coolify instance, including theft of API tokens, session cookies, and access to WebSocket-based terminal sessions on managed servers.

CVSS

No CVSS.

References

Link	Resource
https://coolify.io/
https://github.com/Eyodav/CVE-2025-34157
https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.420.7

Configurations

No configuration.

History

29 Aug 2025, 16:24

Type	Values Removed	Values Added
Summary		(es) Las versiones de Coolify anteriores a la v4.0.0-beta.420.6 son vulnerables a un ataque de Cross Site Scripting (XSS) almacenado durante el flujo de trabajo de creación de proyectos. Un usuario autenticado con privilegios bajos puede manipular un proyecto con un nombre malicioso que contenga JavaScript incrustado. Cuando un administrador intenta eliminar el proyecto o su recurso asociado, la payload se ejecuta en el contexto del navegador del administrador. Esto compromete por completo la instancia de Coolify, incluyendo el robo de tokens de API, cookies de sesión y acceso a sesiones de terminal basadas en WebSockets en servidores administrados.

27 Aug 2025, 17:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-08-27 17:15

Updated : 2025-08-29 16:24

NVD link : CVE-2025-34157

Mitre link : CVE-2025-34157

CVE.ORG link : CVE-2025-34157

JSON object : View

Products Affected

No product.

CWE

CWE-20

Improper Input Validation

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2025-34157", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.4, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-08-27T17:15:37.930", "references": [{"url": "https://coolify.io/", "source": "disclosure@vulncheck.com"}, {"url": "https://github.com/Eyodav/CVE-2025-34157", "source": "disclosure@vulncheck.com"}, {"url": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.420.7", "source": "disclosure@vulncheck.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Coolify versions prior to v4.0.0-beta.420.6 are vulnerable to a stored cross-site scripting (XSS) attack in the project creation workflow. An authenticated user with low privileges can create a project with a maliciously crafted name containing embedded JavaScript. When an administrator attempts to delete the project or its associated resource, the payload executes in the admin\u2019s browser context. This results in full compromise of the Coolify instance, including theft of API tokens, session cookies, and access to WebSocket-based terminal sessions on managed servers."}, {"lang": "es", "value": "Las versiones de Coolify anteriores a la v4.0.0-beta.420.6 son vulnerables a un ataque de Cross Site Scripting (XSS) almacenado durante el flujo de trabajo de creaci\u00f3n de proyectos. Un usuario autenticado con privilegios bajos puede manipular un proyecto con un nombre malicioso que contenga JavaScript incrustado. Cuando un administrador intenta eliminar el proyecto o su recurso asociado, la payload se ejecuta en el contexto del navegador del administrador. Esto compromete por completo la instancia de Coolify, incluyendo el robo de tokens de API, cookies de sesi\u00f3n y acceso a sesiones de terminal basadas en WebSockets en servidores administrados."}], "lastModified": "2025-08-29T16:24:09.860", "sourceIdentifier": "disclosure@vulncheck.com"}