Cyber Posture

CVE-2025-66209

CriticalPublic PoC

Published: 23 December 2025

Published
23 December 2025
Modified
17 March 2026
KEV Added
Patch
CVSS Score 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0024 47.6th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.451, an authenticated command injection vulnerability in the Database Backup functionality allows users with application/service management permissions to execute arbitrary commands as root on…

more

managed servers. Database names used in backup operations are passed directly to shell commands without sanitization, enabling full remote code execution. Version 4.0.0-beta.451 fixes the issue.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

SI-10 directly requires validation and sanitization of database names before passing them to shell commands, preventing the command injection vulnerability in Coolify's backup functionality.

SI-2 Flaw Remediation good match
prevent

SI-2 mandates timely identification, reporting, and patching of flaws like this command injection CVE, enabling upgrade to the fixed Coolify version 4.0.0-beta.451.

AC-6 Least Privilege partial match
prevent

AC-6 enforces least privilege on Coolify processes and managed servers, limiting the scope and impact of root-level command execution from injected database names.

Security SummaryAI

CVE-2025-66209 is an authenticated command injection vulnerability (CWE-78) in the Database Backup functionality of Coolify, an open-source and self-hostable tool for managing servers, applications, and databases. The issue affects versions prior to 4.0.0-beta.451, where database names used in backup operations are passed directly to shell commands without sanitization. This flaw has a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) and was published on 2025-12-23.

An authenticated attacker with application or service management permissions can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By crafting a malicious database name, the attacker can inject arbitrary commands that execute as root on the managed servers, achieving full remote code execution with high confidentiality, integrity, and availability impacts in a scoped context.

Mitigation is available in Coolify version 4.0.0-beta.451, which addresses the sanitization issue. Official advisories and resources include the GitHub security advisory (GHSA-vm5p-43qh-7pmq), the fixing pull request (#7375), and the release tag for v4.0.0-beta.451. Additional details are provided in the PoC repository at https://github.com/0xrakan/coolify-cve-2025-66209-66213.

Details

CWE(s)
CWE-78

Affected Products

coollabs
coolify
4.0.0 · ≤ 4.0.0

MITRE ATT&CK Enterprise TechniquesAI

T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

Authenticated command injection into unsanitized shell commands enables Unix Shell execution (T1059.004) as root, facilitating privilege escalation via exploitation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References