CVE-2025-66213

HIGH
2025-12-23 [email protected]
8.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Mar 17, 2026 - 20:45 vuln.today
Patch Released
Mar 17, 2026 - 20:45 nvd
Patch available
PoC Detected
Mar 17, 2026 - 17:16 vuln.today
Public exploit code
CVE Published
Dec 23, 2025 - 22:15 nvd
HIGH 8.8

Tags

Command Injection RCE Coolify

Description

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.451, an authenticated command injection vulnerability in the File Storage Directory Mount Path functionality allows users with application/service management permissions to execute arbitrary commands as root on managed servers. The file_storage_directory_source parameter is passed directly to shell commands without proper sanitization, enabling full remote code execution on the host system. Version 4.0.0-beta.451 fixes the issue.

Analysis

An authenticated command injection vulnerability in Coolify's File Storage Directory Mount Path functionality allows users with application/service management permissions to execute arbitrary commands as root on managed servers. The vulnerability affects all Coolify versions prior to 4.0.0-beta.451 and has a publicly available proof-of-concept exploit, though current exploitation probability remains relatively low at 0.20% according to EPSS data. Attackers can achieve full remote code execution with root privileges on the host system by exploiting unsanitized input in the file_storage_directory_source parameter.

Technical Context

Coolify is an open-source, self-hostable platform for managing servers, applications, and databases, similar to platforms like Heroku or Netlify but designed for self-hosting. The vulnerability stems from CWE-78 (OS Command Injection), where user-controlled input from the file_storage_directory_source parameter is passed directly to shell commands without proper sanitization or validation. Based on the CPE data, the vulnerability affects the entire 4.0.0 beta series from beta100 through beta450, indicating this is a design flaw that persisted through hundreds of beta releases before being discovered and patched.

Affected Products

Coolify versions prior to 4.0.0-beta.451 are affected by this vulnerability, specifically including all beta releases from 4.0.0-beta100 through 4.0.0-beta450 as confirmed by the CPE entries (cpe:2.3:a:coollabs:coolify:4.0.0:beta100-beta450). The vendor has issued a security advisory at https://github.com/coollabsio/coolify/security/advisories/GHSA-cj2c-9jx8-j427 confirming the vulnerability and providing patch information. Users should verify their installed version and upgrade immediately if running any affected beta version.

Remediation

Upgrade Coolify to version 4.0.0-beta.451 or later immediately, which contains the fix for this vulnerability as documented in pull request https://github.com/coollabsio/coolify/pull/7375. The patched version is available from the official releases page at https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.451. Until patching is possible, restrict access to the Coolify management interface to trusted administrators only, implement network segmentation to limit exposure, and monitor for suspicious command execution on managed servers.

Priority Score

64
Low Medium High Critical
KEV: 0
EPSS: +0.2
CVSS: +44
POC: +20

Share

CVE-2025-66213 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy