Coolify
CVE-2025-66213
HIGH
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionGitHub Advisory
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.451, an authenticated command injection vulnerability in the File Storage Directory Mount Path functionality allows users with application/service management permissions to execute arbitrary commands as root on managed servers. The file_storage_directory_source parameter is passed directly to shell commands without proper sanitization, enabling full remote code execution on the host system. Version 4.0.0-beta.451 fixes the issue.
AnalysisAI
An authenticated command injection vulnerability in Coolify's File Storage Directory Mount Path functionality allows users with application/service management permissions to execute arbitrary commands as root on managed servers. The vulnerability affects all Coolify versions prior to 4.0.0-beta.451 and has a publicly available proof-of-concept exploit, though current exploitation probability remains relatively low at 0.20% according to EPSS data. Attackers can achieve full remote code execution with root privileges on the host system by exploiting unsanitized input in the file_storage_directory_source parameter.
Technical ContextAI
Coolify is an open-source, self-hostable platform for managing servers, applications, and databases, similar to platforms like Heroku or Netlify but designed for self-hosting. The vulnerability stems from CWE-78 (OS Command Injection), where user-controlled input from the file_storage_directory_source parameter is passed directly to shell commands without proper sanitization or validation. Based on the CPE data, the vulnerability affects the entire 4.0.0 beta series from beta100 through beta450, indicating this is a design flaw that persisted through hundreds of beta releases before being discovered and patched.
RemediationAI
Upgrade Coolify to version 4.0.0-beta.451 or later immediately, which contains the fix for this vulnerability as documented in pull request https://github.com/coollabsio/coolify/pull/7375. The patched version is available from the official releases page at https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.451. Until patching is possible, restrict access to the Coolify management interface to trusted administrators only, implement network segmentation to limit exposure, and monitor for suspicious command execution on managed servers.
Coolify, a self-hosted server management platform, allows authenticated users to inject OS commands through the Git Repo
A command injection vulnerability in Coolify's Database Backup functionality allows authenticated users with application
Coolify through v4.0.0-beta.434 exposes the root user's SSH private key to low-privileged team members. Any user with ba
Cross-team authorization bypass in Coolify (open-source self-hosted PaaS) before 4.0.0-beta.474 allows an authenticated,
Coolify before 4.0.0-beta.445 allows command injection through docker-compose.yaml parameters. If a victim creates an ap
Coolify versions prior to v4.0.0-beta.420.7 are vulnerable to a remote code execution vulnerability in the project deplo
Coolify versions prior to v4.0.0-beta.420.6 are vulnerable to a remote code execution vulnerability in the application d
Authenticated OS command injection in Coolify before 4.0.0-beta.471 lets any user holding destination management permiss
Authenticated remote code execution in Coolify (self-hosted PaaS) before 4.0.0-beta.470 lets a low-privileged authentica
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. [CVSS 8.8 HIGH]
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0
An authenticated command injection vulnerability in Coolify's PostgreSQL initialization script handling allows attackers
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today