CVE-2025-66210

high-risk
Published 2025-12-23

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.451, an authenticated command injection vulnerability in the Database Import functionality allows users with application/service management permissions to execute arbitrary commands as root on managed servers. Database names used in import operations are passed directly to shell commands without sanitization, enabling full remote code execution. Version 4.0.0-beta.451 fixes the issue.

Do I need to act?

-
0.41% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.8/10 High
NETWORK / LOW complexity

Affected Products (20)

Affected Vendors

Coollabs

References (5)

Exploit https://github.com/0xrakan/coolify-cve-2025-66209-66213
Issue Tracking https://github.com/coollabsio/coolify/pull/7375
Release Notes https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.451
https://github.com/coollabsio/coolify/security/advisories/GHSA-q33h-22xm-4cgh
https://github.com/coollabsio/coolify/security/advisories/GHSA-q33h-22xm-4cgh
65
/ 100
high-risk
Severity 30/34 · Critical
Exploitability 2/34 · Minimal
Exposure 33/34 · Critical