CVE-2025-66213
Command Injection in Coolify File Storage Enables Root RCE
Publication date: 2025-12-23
Last updated on: 2026-03-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| coolify | coolify | 4.0.0-beta.451 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an authenticated command injection in Coolify's File Storage Directory Mount Path functionality. Users with application or service management permissions can exploit the file_storage_directory_source parameter, which is passed directly to shell commands without proper sanitization, allowing them to execute arbitrary commands as root on the managed servers. This leads to full remote code execution on the host system.
How can this vulnerability impact me? :
If exploited, this vulnerability allows an attacker with certain permissions to execute arbitrary commands as root on the managed servers. This can lead to complete compromise of the server, including unauthorized access, data theft, data modification, service disruption, and potentially further attacks within the network.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Coolify to version 4.0.0-beta.451 or later, as this version fixes the authenticated command injection vulnerability in the File Storage Directory Mount Path functionality.