CVE-2025-66212

HIGH
2025-12-23 [email protected]
8.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Mar 17, 2026 - 20:45 vuln.today
Patch Released
Mar 17, 2026 - 20:45 nvd
Patch available
PoC Detected
Mar 17, 2026 - 17:16 vuln.today
Public exploit code
CVE Published
Dec 23, 2025 - 22:15 nvd
HIGH 8.8

Tags

Command Injection RCE Coolify

Description

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.451, an authenticated command injection vulnerability in the Dynamic Proxy Configuration Filename handling allows users with application/service management permissions to execute arbitrary commands as root on managed servers. Proxy configuration filenames are passed to shell commands without proper escaping, enabling full remote code execution. Version 4.0.0-beta.451 fixes the issue.

Analysis

An authenticated command injection vulnerability in Coolify's Dynamic Proxy Configuration Filename handling allows users with application/service management permissions to execute arbitrary commands as root on managed servers. The vulnerability affects all Coolify versions prior to 4.0.0-beta.451, with a publicly available proof-of-concept exploit and moderate exploitation likelihood (EPSS 20%, percentile 41%). Attackers can achieve full remote code execution with root privileges by injecting shell commands through unescaped proxy configuration filenames.

Technical Context

Coolify is an open-source, self-hostable platform for managing servers, applications, and databases, similar to a simplified PaaS solution. The vulnerability stems from CWE-78 (OS Command Injection), where proxy configuration filenames are passed directly to shell commands without proper input sanitization or escaping. Based on the CPE data, the vulnerability affects Coolify versions from at least 4.0.0-beta100 through 4.0.0-beta450, though the wildcard CPE entry suggests earlier versions may also be vulnerable. The issue occurs specifically in the Dynamic Proxy Configuration component where user-supplied filenames are concatenated into shell commands executed with elevated privileges.

Affected Products

Coolify versions prior to 4.0.0-beta.451 are vulnerable to this command injection flaw. The CPE entries confirm affected versions include 4.0.0-beta100 through 4.0.0-beta450, with the wildcard CPE (cpe:2.3:a:coollabs:coolify:*:*:*:*:*:*:*:*) suggesting all versions before the fix may be vulnerable. The vendor has acknowledged the vulnerability in their security advisory at https://github.com/coollabsio/coolify/security/advisories/GHSA-q7rg-2j7p-83gp and released a patch in version 4.0.0-beta.451 as documented in their release notes.

Remediation

Upgrade Coolify to version 4.0.0-beta.451 or later immediately, as this version includes the fix for the command injection vulnerability (see patch at https://github.com/coollabsio/coolify/pull/7375). Until patching is possible, restrict access to Coolify's management interface to trusted administrators only, implement network segmentation to limit which servers can be managed, and monitor for suspicious command execution on managed servers. Review the vendor's security advisory at https://github.com/coollabsio/coolify/security/advisories/GHSA-q7rg-2j7p-83gp for additional context and ensure all managed servers are audited for potential compromise given the root-level execution capability.

Priority Score

64
Low Medium High Critical
KEV: 0
EPSS: +0.2
CVSS: +44
POC: +20

Share

CVE-2025-66212 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy