CVE-2025-66210
Authenticated Command Injection in Coolify Database Import Enables Root RCE
Publication date: 2025-12-23
Last updated on: 2026-03-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| coolify | coolify | 4.0.0-beta.451 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an authenticated command injection in Coolify's Database Import functionality prior to version 4.0.0-beta.451. Users with application or service management permissions can exploit it by using database names that are passed directly to shell commands without sanitization, allowing them to execute arbitrary commands as root on managed servers.
How can this vulnerability impact me? :
The vulnerability allows attackers with certain permissions to execute arbitrary commands as root on managed servers, potentially leading to full remote code execution. This can compromise the entire server, leading to data theft, service disruption, or further attacks within the network.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Coolify to version 4.0.0-beta.451 or later, as this version fixes the authenticated command injection vulnerability in the Database Import functionality.