Preview Deployment Vulnerability in Dokploy
rivo.ggHad a similar horror story with Dokploy
I initially loved the project and self-hosted it for the startup I worked at, Confinity, we had our development and production environment on Dokploy as it seemed stable, and was actively maintained, as-well as a really nice cost cutting measure
At some point, purely to support the project, I convinced the CEO to subscribe to Dokploy cloud, their paid service to manage the panel, all we had to do was just add the servers, and things were fine for a while
Though at some point, I found an issue, I pushed a change to our repository, then merged it to staging, so the dev branch was "deploying" in Dokploy, and staging was queued, since we didn't use dev anymore, I deleted that branch, assuming it'll clean up after itself, so staging can build instead of being in queue
How wrong I was, that instantly bricked both the server and the Dokploy panel, couldn't deploy, delete, stop, start or for the better part of 6 hours, do anything at all to our services, which became unresponsive entirely, both on the panel, and the sites themselves went down, despite the server still being up (and yes, we rebooted it multiple times), the issue was via Dokploy's PAID service that had cause everything to be stuck in limbo pretty much
We had to do an emergency migration out of Dokploy cloud to get our services and site back up, including all our databases, multiple times during this process I told the founder of Dokploy, as a paying customer, about this issue, and his response was simply "User issue", at which point I gave up and unsubscribed to the service, moving to Easypanel
definitely not a service I'd ever check out again
Oh, wow, that actually sucks. I had a similar issue with my self-hosted instance. I couldn't access it because it crashed and never auto-restarted. Luckily, our services were still running, so it wasn't as bad as your incident.
I really loved Dokploys UI and that it was fully open source, so it sucks to see them not care about the security of their products. I even sponsored them for a few months.
How has EasyPanel been for you so far? Is it worth checking out over Coolify, for example?
Easypanel has been pretty great for me so far, a couple issues with ports but otherwise really nice UI and features
I wish I could switch to coolify as it's features and offering is way better imo, but the UI/UX for it is a massive downgrade, since I love working visually with my services, Coolify just isn't a good fit yet until they upgrade the UX
After re-reporting the vulnerability through GitHub, the maintainer of Dokploy has published a fix in version v0.24.3. Read more here: https://github.com/Dokploy/dokploy/security/advisories/GHSA-...
Hard to believe they left such an obvious security hole open for 6 months. Any random PR can access environment variables? That's concerning for a project with 20k+ stars.
Yea, I'm not sure why the developer refuses to fix it. You can probably do a lot more than just read environment variables too.