CVE-2025-66211

high-risk
Published 2025-12-23

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.451, an authenticated command injection vulnerability in PostgreSQL Init Script Filename handling allows users with application/service management permissions to execute arbitrary commands as root on managed servers. PostgreSQL initialization script filenames are passed to shell commands without proper validation, enabling full remote code execution. Version 4.0.0-beta.451 fixes the issue.

Do I need to act?

-
0.41% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.8/10 High
NETWORK / LOW complexity

Affected Products (20)

Affected Vendors

Coollabs

References (5)

Exploit https://github.com/0xrakan/coolify-cve-2025-66209-66213
Issue Tracking https://github.com/coollabsio/coolify/pull/7375
Release Notes https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.451
https://github.com/coollabsio/coolify/security/advisories/GHSA-24mp-fc9q-c884
https://github.com/coollabsio/coolify/security/advisories/GHSA-24mp-fc9q-c884
65
/ 100
high-risk
Severity 30/34 · Critical
Exploitability 2/34 · Minimal
Exposure 33/34 · Critical