CVE-2025-66211
Command Injection in Coolify PostgreSQL Init Script Enables Root RCE
Publication date: 2025-12-23
Last updated on: 2026-03-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| coolify | coolify | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an authenticated command injection in Coolify versions prior to 4.0.0-beta.451. It occurs in the handling of PostgreSQL initialization script filenames, which are passed to shell commands without proper validation. This flaw allows users with application or service management permissions to execute arbitrary commands as the root user on managed servers, leading to full remote code execution.
How can this vulnerability impact me? :
If exploited, this vulnerability allows an attacker with certain permissions to execute arbitrary commands as root on managed servers. This can lead to complete compromise of the affected servers, including unauthorized access, data theft, data manipulation, service disruption, and potentially further attacks within the network.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Coolify to version 4.0.0-beta.451 or later, as this version fixes the authenticated command injection vulnerability in PostgreSQL Init Script Filename handling.