CVE-2025-34157

Critical CVSS: 9.4

Coolify versions prior to v4.0.0-beta.420.6 are vulnerable to a stored cross-site scripting (XSS) attack in the project creation workflow. An authenticated user with low privileges can create a project with a maliciously crafted name containing embedded JavaScript. When an administrator attempts to delete the project or its associated resource, the payload executes in the admin’s browser context. This results in full compromise of the Coolify instance, including theft of API tokens, session cookies, and access to WebSocket-based terminal sessions on managed servers.

Vendor

Coollabs

Product

Coolify

CWE

CWE-20

Yayın Tarihi

2025-08-27 17:15:37

Güncelleme

2025-09-19 16:48:52

Source Identifier

disclosure@vulncheck.com

KEV Date Added

Kategoriler

CWE-20 Coolify CRITICAL Coollabs 2025

Referanslar

https://coolify.io/ https://github.com/Eyodav/CVE-2025-34157 https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.420.7

Benzer Kayıtlar

Medium

CVE-2025-64422

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify vstarting…

High

CVE-2025-64423

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions…

Critical

CVE-2025-64424

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions…

High

CVE-2025-64425

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions…

Critical

CVE-2025-64419

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0…

Critical

CVE-2025-64420

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions…