CVE-2025-66209

high-risk
Published 2025-12-23

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.451, an authenticated command injection vulnerability in the Database Backup functionality allows users with application/service management permissions to execute arbitrary commands as root on managed servers. Database names used in backup operations are passed directly to shell commands without sanitization, enabling full remote code execution. Version 4.0.0-beta.451 fixes the issue.

Do I need to act?

-
0.20% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
+
Fix available
Upgrade to: d9ec105430869a98d0b3415c76a5d519403269a0
9
CVSS 9.9/10 Critical
NETWORK / LOW complexity

Affected Products (20)

Affected Vendors

Coollabs

References (5)

Exploit https://github.com/0xrakan/coolify-cve-2025-66209-66213
Issue Tracking https://github.com/coollabsio/coolify/pull/7375
Release Notes https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.451
Exploit https://github.com/coollabsio/coolify/security/advisories/GHSA-vm5p-43qh-7pmq
Exploit https://github.com/coollabsio/coolify/security/advisories/GHSA-vm5p-43qh-7pmq
67
/ 100
high-risk
Severity 33/34 · Critical
Exploitability 1/34 · Minimal
Exposure 33/34 · Critical