CVE-2025-66209

CRITICAL
2025-12-23 [email protected]
9.9
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Mar 17, 2026 - 20:45 vuln.today
Patch Released
Mar 17, 2026 - 20:45 nvd
Patch available
PoC Detected
Mar 17, 2026 - 17:16 vuln.today
Public exploit code
CVE Published
Dec 23, 2025 - 22:15 nvd
CRITICAL 9.9

Tags

Command Injection RCE Coolify

Description

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.451, an authenticated command injection vulnerability in the Database Backup functionality allows users with application/service management permissions to execute arbitrary commands as root on managed servers. Database names used in backup operations are passed directly to shell commands without sanitization, enabling full remote code execution. Version 4.0.0-beta.451 fixes the issue.

Analysis

A command injection vulnerability in Coolify's Database Backup functionality allows authenticated users with application/service management permissions to execute arbitrary commands as root on managed servers. The vulnerability affects all Coolify versions prior to 4.0.0-beta.451 and has a publicly available proof-of-concept exploit. With a CVSS score of 9.9 and confirmed exploitation code available, this represents a critical risk for organizations using Coolify to manage their infrastructure.

Technical Context

Coolify is an open-source server management platform that handles applications, services, and databases. The vulnerability exists in the database backup functionality where database names are passed directly to shell commands without proper sanitization, a classic example of CWE-78 (Improper Neutralization of Special Elements used in an OS Command). The affected versions span from early beta releases (4.0.0-beta100) through 4.0.0-beta450, as identified in the CPE entries. The root cause is unsafe string concatenation when constructing shell commands for database backup operations, allowing attackers to inject malicious commands through specially crafted database names.

Affected Products

Coolify versions prior to 4.0.0-beta.451 are vulnerable, specifically including all beta releases from 4.0.0-beta100 through 4.0.0-beta450 as documented in the CPE entries (cpe:2.3:a:coollabs:coolify:*:*:*:*:*:*:*:* and specific beta versions). The vulnerability affects the open-source self-hosted version of Coolify used for managing servers, applications, and databases. Users can verify their version and find detailed information in the GitHub security advisory at https://github.com/coollabsio/coolify/security/advisories/GHSA-vm5p-43qh-7pmq.

Remediation

Upgrade Coolify to version 4.0.0-beta.451 or later immediately, which contains the fix for this vulnerability as documented in pull request https://github.com/coollabsio/coolify/pull/7375. The patched version is available at https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.451. Until patching is possible, restrict access to the Coolify interface to only trusted administrators and monitor database backup operations for suspicious activity. Given the severity and availability of exploits, patching should be prioritized as no effective workarounds can fully mitigate the risk of command injection through the backup functionality.

Priority Score

70
Low Medium High Critical
KEV: 0
EPSS: +0.2
CVSS: +50
POC: +20

Share

CVE-2025-66209 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy