关联漏洞
标题:Coolify 安全漏洞 (CVE-2025-34157)Description:Coolify是coolLabs开源的一个开源和自托管的 Heroku/Netlify/Vercel 替代品。 Coolify v4.0.0-beta.420.6之前版本存在安全漏洞,该漏洞源于项目创建工作流中存在存储型跨站脚本,可能导致完全控制Coolify实例。
Description
A stored XSS in the project delete flow allows execution of attacker-controlled JavaScript in an administrator’s browser when the admin attempts to delete a project created by a low-privileged user. This can lead to takeover of the Coolify instance (cookies, API tokens, WebSocket/terminal actions)
介绍
# Stored XSS in Coolify delete flow (CVE-2025-34157)
> **Affects:** Coolify ≤ **v4.0.0-beta.420.6**
> **Fixed in:** **v4.0.0-beta.420.7**
> **Severity:** **Critical (9.4)**
> **CVSS 4.0 Vector:** `CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H`
> **CWE:** CWE-79 (Cross-Site Scripting), CWE-20 (Improper Input Validation)
## Summary
A stored XSS in the project delete flow allows execution of attacker-controlled JavaScript in an administrator’s browser when the admin attempts to delete a project created by a low-privileged user. This can lead to takeover of the Coolify instance (cookies, API tokens, WebSocket/terminal actions).
- **Attack Vector:** Remote (any authenticated user, incl. member)
- **Privileges Required:** Low
- **User Interaction:** Admin interaction (delete action)
- **Impact:** Account/session takeover, project/resource/terminal access
## Affected versions
- All versions **prior to and including** `v4.0.0-beta.420.6`.
## Proof of Concept (PoC)
Steps and payloads are in [`/POC`](./POC).
文件快照
[4.0K] /data/pocs/dc6c2198fc05abefacd880052d64f163f50fc021
├── [4.0K] POC
│ ├── [4.9K] Payloads HTMLi
│ ├── [ 461] Payloads XSS
│ └── [1.6K] ReadMe.md
└── [1.0K] README.md
1 directory, 4 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。