CVE-2025-66209 | Coolify is an open-source and self-hostable tool for managin… | CVSS 10.0 CRITICAL

Description

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.451, an authenticated command injection vulnerability in the Database Backup functionality allows users with application/service management permissions to execute arbitrary commands as root on managed servers. Database names used in backup operations are passed directly to shell commands without sanitization, enabling full remote code execution. Version 4.0.0-beta.451 fixes the issue.

Metadata

CVE ID: CVE-2025-66209
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2025-11-24 23:01 UTC
Published: 2025-12-23 21:42 UTC
Last updated: 2026-03-17 16:21 UTC
Primary CWE: CWE-78
CWE-78: Improper Neutralization of Special Elements used in …
Vendor / Product: coollabsio / coolify
Sources: cve.org · NVD

Severity & Metrics

10.0 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

SSVC — CISA Coordinator

Exploitation: PoC
Automatable: yes
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
coollabsio	coolify	—	< 4.0.0-beta.451

Weakness (CWE)

CWE	Source	Description
CWE-78	cna	CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CVSS scores (1)

Score	Severity	Version	Source	Vector
10.0	CRITICAL	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

References (4)

https://github.com/coollabsio/coolify/security/advisories/GHSA-vm5p-43qh-7pmq https://github.com/coollabsio/coolify/security/advisories/GHSA-vm5p-43qh-7pmq
https://github.com/coollabsio/coolify/pull/7375 https://github.com/coollabsio/coolify/pull/7375
https://github.com/0xrakan/coolify-cve-2025-66209-66213 https://github.com/0xrakan/coolify-cve-2025-66209-66213
https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.451 https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.451