CVE-2025-66212
Command Injection in Coolify Proxy Filename Allows Root RCE
Publication date: 2025-12-23
Last updated on: 2026-03-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| coolify | coolify | 4.0.0-beta.451 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an authenticated command injection in Coolify versions prior to 4.0.0-beta.451. It occurs in the handling of Dynamic Proxy Configuration Filenames, where filenames are passed to shell commands without proper escaping. This allows users with application or service management permissions to execute arbitrary commands as the root user on managed servers, leading to full remote code execution.
How can this vulnerability impact me? :
The vulnerability can have severe impacts, including unauthorized execution of arbitrary commands with root privileges on managed servers. This can lead to complete compromise of the affected servers, data breaches, service disruption, and potential further exploitation within the network.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Coolify to version 4.0.0-beta.451 or later, as this version fixes the authenticated command injection vulnerability in the Dynamic Proxy Configuration Filename handling. Additionally, restrict application/service management permissions to trusted users only to minimize risk until the upgrade is applied.