Skip to content

[Bug]: Deployment log leaks all my secret environment variables #7019

New issue
New issue
Open
Open
[Bug]: Deployment log leaks all my secret environment variables#7019
Labels
🐛 Possible BugReported issues that need to be reproduced by the team.🔍 TriageIssues that need assessment and prioritization.
@satvug

Description

@satvug
satvug
opened on Oct 26, 2025

Error Message and Logs

During deployment of my Next.js app on Coolify (using Nixpacks), I noticed that the deployment logs expose all environment variables from my .env file, including sensitive values like API keys, tokens, and database credentials.

This effectively means that anyone with access to the deployment logs can see all secrets in plain text, which is a severe security vulnerability.

The leaks happen at this part of the deployment log:

2025-Oct-26 22:01:59.367776
[CMD]: docker exec m80cocsow4kc008ks88wg804 bash -c 'nixpacks detect /artifacts/m80cocsow4kc008ks88wg804'
2025-Oct-26 22:01:59.367776
node
2025-Oct-26 22:01:59.381067
Found application type: node.
2025-Oct-26 22:01:59.393735
If you need further customization, please check the documentation of Nixpacks: https://nixpacks.com/docs/providers/node
2025-Oct-26 22:01:59.463951
Final Nixpacks plan: {
2025-Oct-26 22:01:59.463951
"providers": [],
2025-Oct-26 22:01:59.463951
"buildImage": "ghcr.io\/railwayapp\/nixpacks:ubuntu-1745885067",
2025-Oct-26 22:01:59.463951
"variables": {
2025-Oct-26 22:01:59.463951
"CI": "true",
2025-Oct-26 22:01:59.463951
"COOLIFY_BRANCH": "main",
2025-Oct-26 22:01:59.463951
"COOLIFY_CONTAINER_NAME": "rsg404440gksg0ks40wok8so-220151930914",
2025-Oct-26 22:01:59.463951
"COOLIFY_FQDN": "xxxx.io,xx.xx.pro\/next",
2025-Oct-26 22:01:59.463951
"COOLIFY_RESOURCE_UUID": "rsg404440gksg0ks40wok8so",
2025-Oct-26 22:01:59.463951
"COOLIFY_URL": "xxxx.sslip.io,xx.xxx.xx\/next",
2025-Oct-26 22:01:59.463951
"NIXPACKS_METADATA": "node",
2025-Oct-26 22:01:59.463951
"NODE_ENV": "production",
2025-Oct-26 22:01:59.463951
"NPM_CONFIG_PRODUCTION": "false",
2025-Oct-26 22:01:59.463951
"SOURCE_COMMIT": "9af9dbc311ce68a69237190ea348f86edcf2a5ea",
2025-Oct-26 22:01:59.463951
"ANTHROPIC_API_KEY": secret!

Steps to Reproduce

🔍 Steps to Reproduce
1. Deploy a Next.js project on Coolify using Nixpacks.
2. Add environment variables (via .env or the Coolify environment configuration).
3. Trigger a new deployment.
4. Open the deployment logs — all environment variables are printed there.

Example Repository URL

No response

Coolify Version

v4.0.0-beta.434

Are you using Coolify Cloud?

No (self-hosted)

Operating System and Version (self-hosted)

Ubuntu 24.04.3 LTS

Additional Information

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    🐛 Possible BugReported issues that need to be reproduced by the team.🔍 TriageIssues that need assessment and prioritization.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions