CVE-2025-66211

HIGH
2025-12-23 [email protected]
8.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 17, 2026 - 20:45 vuln.today
PoC Detected
Mar 17, 2026 - 17:16 vuln.today
Public exploit code
CVE Published
Dec 23, 2025 - 22:15 nvd
HIGH 8.8

Tags

Command Injection PostgreSQL RCE Privilege Escalation Docker Coolify

Description

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.451, an authenticated command injection vulnerability in PostgreSQL Init Script Filename handling allows users with application/service management permissions to execute arbitrary commands as root on managed servers. PostgreSQL initialization script filenames are passed to shell commands without proper validation, enabling full remote code execution. Version 4.0.0-beta.451 fixes the issue.

Analysis

An authenticated command injection vulnerability in Coolify's PostgreSQL initialization script handling allows attackers with application/service management permissions to execute arbitrary commands as root on managed servers. The vulnerability affects all Coolify versions prior to 4.0.0-beta.451 and enables full remote code execution through unsanitized PostgreSQL init script filenames passed to shell commands. A public proof-of-concept exploit is available, and while not currently in CISA KEV, the vulnerability has a moderate EPSS score of 0.41% indicating some exploitation probability.

Technical Context

Coolify is an open-source platform-as-a-service (PaaS) tool used for self-hosting and managing servers, applications, and databases. The vulnerability stems from CWE-78 (Improper Neutralization of Special Elements used in an OS Command), where PostgreSQL initialization script filenames are passed directly to shell commands without proper input validation or sanitization. Based on the CPE data, this affects the entire Coolify 4.0.0 beta series from beta100 through beta450, with the core issue being that user-controlled input (the init script filename) can contain shell metacharacters that are interpreted when passed to system commands, allowing command injection.

Affected Products

Coolify versions prior to 4.0.0-beta.451 are affected by this vulnerability, specifically including all beta releases from 4.0.0-beta100 through 4.0.0-beta450 as identified by multiple CPE entries (cpe:2.3:a:coollabs:coolify:4.0.0:beta100 through beta108 and wildcard cpe:2.3:a:coollabs:coolify:*). The vulnerability has been disclosed through GitHub Security Advisory GHSA-24mp-fc9q-c884 and affects all deployments of the open-source Coolify platform within these version ranges.

Remediation

Upgrade Coolify to version 4.0.0-beta.451 or later, which contains the fix for this vulnerability as documented in the release notes at https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.451 and pull request https://github.com/coollabsio/coolify/pull/7375. Until patching is possible, restrict access to Coolify's application and service management functions to only highly trusted administrators, implement network segmentation to limit exposure of the Coolify interface, and monitor system logs for suspicious command execution patterns. The vendor security advisory at https://github.com/coollabsio/coolify/security/advisories/GHSA-24mp-fc9q-c884 provides additional context.

Priority Score

64
Low Medium High Critical
KEV: 0
EPSS: +0.4
CVSS: +44
POC: +20

Share

CVE-2025-66211 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy