Cyber Posture

CVE-2025-66210

HighPublic PoC

Published: 23 December 2025

Published
23 December 2025
Modified
17 March 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0047 64.8th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.451, an authenticated command injection vulnerability in the Database Import functionality allows users with application/service management permissions to execute arbitrary commands as root on…

more

managed servers. Database names used in import operations are passed directly to shell commands without sanitization, enabling full remote code execution. Version 4.0.0-beta.451 fixes the issue.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Requires validation of database names prior to their use in shell commands, directly preventing command injection by rejecting or sanitizing malicious inputs.

SI-2 Flaw Remediation good match
prevent

Mandates timely remediation of the specific command injection flaw by patching Coolify to version 4.0.0-beta.451 or later, eliminating the unsanitized input issue.

AC-6 Least Privilege partial match
prevent

Enforces least privilege to restrict application/service management permissions, limiting the scope of root-level command execution even if injection occurs.

Security SummaryAI

CVE-2025-66210 is an authenticated command injection vulnerability (CWE-78) in the Database Import functionality of Coolify, an open-source and self-hostable tool for managing servers, applications, and databases. The issue affects versions prior to 4.0.0-beta.451, where database names used in import operations are passed directly to shell commands without sanitization. This flaw has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.

An attacker with application or service management permissions can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By crafting a malicious database name during an import operation, the attacker can inject and execute arbitrary shell commands as the root user on the managed servers, achieving full remote code execution and potentially compromising the entire hosting environment.

The vulnerability is fixed in Coolify version 4.0.0-beta.451, as detailed in the project's security advisory (GHSA-q33h-22xm-4cgh) and associated pull request. Security practitioners should update to this version or later and review permissions for application/service management to mitigate exposure, with further details available in the GitHub release notes and related repositories.

Details

CWE(s)
CWE-78

Affected Products

coollabs
coolify
4.0.0 · ≤ 4.0.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

Authenticated command injection (CWE-78) in a network-accessible management tool enables exploitation of public-facing application (T1190), arbitrary Unix shell execution (T1059.004), and privilege escalation to root via the vulnerability (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References