Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.451, an authenticated command injection vulnerability in PostgreSQL Init Script Filename handling allows users with application/service management permissions to execute arbitrary commands as root on managed servers. PostgreSQL initialization script filenames are passed to shell commands without proper validation, enabling full remote code execution. Version 4.0.0-beta.451 fixes the issue.
Coolify, a server management tool, is vulnerable to a critical command injection flaw allowing attackers to achieve remote code execution (RCE). Exploiting this vulnerability grants attackers root-level access on managed servers, potentially leading to complete system compromise and data breaches. This vulnerability is due to insufficient input validation when handling PostgreSQL initialization script filenames.
Step 1: Authentication: An attacker must first authenticate to Coolify with application/service management permissions. Step 2: Payload Insertion: The attacker crafts a malicious PostgreSQL initialization script filename containing shell commands designed to execute arbitrary code. This filename is crafted to inject commands into the shell command that processes the filename. Step 3: Filename Submission: The attacker submits the malicious filename through the Coolify interface, typically when configuring or updating a PostgreSQL database or service. Step 4: Command Execution: Coolify passes the attacker-controlled filename to a shell command without proper sanitization. Step 5: Code Execution: The shell command executes the injected commands as root, granting the attacker control over the managed server.
The vulnerability stems from a lack of input validation within Coolify's handling of PostgreSQL initialization script filenames. Specifically, the application passes user-supplied filenames directly to shell commands without sanitization. This allows an attacker to inject arbitrary commands into the filename, which are then executed with root privileges on the managed server. The root cause is the absence of proper input validation and sanitization of the filename parameter before it is passed to a shell command, leading to a command injection vulnerability. This is a classic example of a security flaw caused by improper handling of user-supplied data.