CVE-2025-66209
Command Injection in Coolify Database Backup Allows Root RCE
Publication date: 2025-12-23
Last updated on: 2026-03-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| coolify | coolify | 4.0.0-beta.451 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an authenticated command injection in Coolify's Database Backup functionality prior to version 4.0.0-beta.451. Users with application or service management permissions can execute arbitrary commands as root on managed servers because database names used in backup operations are passed directly to shell commands without sanitization, allowing full remote code execution.
How can this vulnerability impact me? :
The vulnerability allows attackers with certain permissions to execute arbitrary commands as root on managed servers, potentially leading to full system compromise, unauthorized access, data theft, or disruption of services.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Coolify to version 4.0.0-beta.451 or later, as this version fixes the authenticated command injection vulnerability in the Database Backup functionality. Additionally, restrict application/service management permissions to trusted users only to reduce risk until the upgrade is applied.