CVE-2025-66213

HighPublic PoC

Published: 23 December 2025

Published

23 December 2025

Modified

17 March 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0022 44.9th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.451, an authenticated command injection vulnerability in the File Storage Directory Mount Path functionality allows users with application/service management permissions to execute arbitrary commands…

as root on managed servers. The file_storage_directory_source parameter is passed directly to shell commands without proper sanitization, enabling full remote code execution on the host system. Version 4.0.0-beta.451 fixes the issue.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly mitigates command injection by requiring validation and sanitization of inputs like the file_storage_directory_source parameter before passing to shell commands.

SI-2 Flaw Remediation good match

prevent

Ensures timely flaw remediation through patching to version 4.0.0-beta.451 or later, which fixes the unsanitized input vulnerability.

AC-6 Least Privilege partial match

prevent

Enforces least privilege on Coolify processes to limit damage from injected commands, preventing root-level execution even if injection occurs.

Security SummaryAI

CVE-2025-66213 is an authenticated command injection vulnerability in Coolify, an open-source and self-hostable tool for managing servers, applications, and databases. The issue affects versions prior to 4.0.0-beta.451 and resides in the File Storage Directory Mount Path functionality, where the file_storage_directory_source parameter is passed directly to shell commands without proper sanitization. This flaw, classified under CWE-78, enables attackers to inject and execute arbitrary commands.

Users with application or service management permissions can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation grants full remote code execution on the host system with root privileges, potentially allowing complete compromise of managed servers, including data exfiltration, persistence, or further lateral movement.

Official advisories and the project maintainers recommend updating to version 4.0.0-beta.451 or later, which addresses the issue through proper input sanitization. Relevant GitHub resources include the security advisory GHSA-cj2c-9jx8-j427, the fixing pull request at coolify/pull/7375, and the release tag v4.0.0-beta.451.

Details

CWE(s): CWE-78

Affected Products

coollabs

coolify

4.0.0 · ≤ 4.0.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

Authenticated command injection vulnerability in a remotely accessible self-hosted management tool enables exploitation of a public-facing application (T1190) to achieve remote code execution via direct injection into Unix shell commands (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/0xrakan/coolify-cve-2025-66209-66213
Exploit, Third Party Advisory · security-advisories@github.com
https://github.com/coollabsio/coolify/pull/7375
Issue Tracking, Patch · security-advisories@github.com
https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.451
Release Notes · security-advisories@github.com
https://github.com/coollabsio/coolify/security/advisories/GHSA-cj2c-9jx8-j427
security-advisories@github.com
https://github.com/coollabsio/coolify/security/advisories/GHSA-cj2c-9jx8-j427
134c704f-9b21-4f2e-91b3-4a467353bcc0