CVE-2025-66210

HIGH
2025-12-23 [email protected]
8.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 17, 2026 - 20:45 vuln.today
PoC Detected
Mar 17, 2026 - 17:16 vuln.today
Public exploit code
CVE Published
Dec 23, 2025 - 22:15 nvd
HIGH 8.8

Tags

Command Injection RCE Docker Linux Coolify

Description

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.451, an authenticated command injection vulnerability in the Database Import functionality allows users with application/service management permissions to execute arbitrary commands as root on managed servers. Database names used in import operations are passed directly to shell commands without sanitization, enabling full remote code execution. Version 4.0.0-beta.451 fixes the issue.

Analysis

A command injection vulnerability in Coolify's Database Import functionality allows authenticated users with application/service management permissions to execute arbitrary system commands as root on managed servers. The vulnerability stems from unsanitized database names being passed directly to shell commands, enabling full remote code execution. A public proof-of-concept exploit is available, and with an EPSS score of 0.41% (61st percentile), this represents a moderate real-world exploitation risk for organizations using vulnerable Coolify versions.

Technical Context

Coolify is an open-source server management platform that handles applications and databases. The vulnerability is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command), a common but critical flaw where user-controlled input is passed to system shell commands without proper sanitization. Based on the CPE data, all Coolify versions prior to 4.0.0-beta.451 are affected, including the entire 4.0.0-beta series from beta100 through beta450. The issue specifically resides in the Database Import functionality where database names are concatenated into shell commands without escaping special characters, allowing attackers to inject additional commands.

Affected Products

Coolify versions prior to 4.0.0-beta.451 are vulnerable, including all 4.0.0-beta releases from beta100 through beta450 as specified in the CPE entries (cpe:2.3:a:coollabs:coolify:*:*:*:*:*:*:*:* and specific beta versions). The vulnerability affects the open-source self-hosted server management platform maintained by Coollabs. The vendor security advisory is available at https://github.com/coollabsio/coolify/security/advisories/GHSA-q33h-22xm-4cgh, with the fix implemented in pull request https://github.com/coollabsio/coolify/pull/7375.

Remediation

Upgrade Coolify to version 4.0.0-beta.451 or later immediately, as confirmed in the release notes at https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.451. Until patching is possible, restrict access to the Database Import functionality to only highly trusted administrators and monitor for suspicious database names containing shell metacharacters. Review user permissions and temporarily revoke application/service management permissions from untrusted users. Given the availability of public exploit code at https://github.com/0xrakan/coolify-cve-2025-66209-66213, patching should be treated as urgent.

Priority Score

64
Low Medium High Critical
KEV: 0
EPSS: +0.4
CVSS: +44
POC: +20

Share

CVE-2025-66210 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy