Cybersecurity researchers have detailed multiple-severity security flaws affecting Coolify, an open-source self-hosting platform. This could lead to authentication bypass or remote code execution.
Here is the list of vulnerabilities:
CVE-2025-66209 (CVSS Score: 10.0) – Command injection vulnerability in the database backup feature allows an authenticated user with database backup privileges to execute arbitrary commands on the host server, resulting in a container escape and compromise of the entire server. CVE-2025-66210 (CVSS score: 10.0) – Authenticated command injection vulnerability in the database import functionality allows attackers to execute arbitrary commands. CVE-2025-66211 (CVSS Score: 10.0) – Command injection vulnerability in PostgreSQL init script management allows an authenticated user with database privileges to execute arbitrary commands as root on the server CVE-2025-66212 (CVSS Score: 10.0) – Authenticated command injection vulnerability in the Dynamic Proxy Configuration feature allows a user to execute arbitrary commands as root on a managed server Server administrative privileges to execute arbitrary commands as root CVE-2025-66213 (CVSS score: 10.0) – Authenticated command injection vulnerability in the File Storage Directory Mount feature allows users with application/service administrative privileges to execute arbitrary commands as root on a managed server CVE-2025-64419 (CVSS score: 9.7) – Command injection vulnerability caused by an attacker to docker-compose.yaml allows execution of arbitrary system commands as root on a Coolify instance CVE-2025-64420 (CVSS score: 10.0) – Information disclosure vulnerability allows a low-privileged user to view the root user’s private key on a Coolify instance, gain unauthorized access to the server via SSH, and use that key to authenticate as the root user. CVE-2025-64424 (CVSS score: 9.4) – A command injection vulnerability is found in the git source input field of a resource, allowing a low-privileged user (member) to execute system commands as root on a Coolify instance CVE-2025-59156 (CVSS score: 9.4) – Operating system commands Injection vulnerability allows low-privileged users to inject arbitrary commands CVE-2025-59157 (CVSS score: 10.0) – Operating system command injection vulnerability allows ordinary users to execute arbitrary shells that run on the underlying server using the Git repository field during deployment. Allows command injection CVE-2025-59158 (CVSS score: 9.4) – Improper encoding or escaping of data This allows authenticated users with low privileges to perform stored cross-site scripting (XSS) attacks during project creation. This attack is automatically executed in the browser context when an administrator later attempts to delete the project or its related resources.
The following versions will be affected by this shortcoming.
CVE-2025-66209, CVE-2025-66210, CVE-2025-66211 – <= 4.0.0-beta.448 (>= fixed in 4.0.0-beta.451) CVE-2025-66212, CVE-2025-66213 – <= 4.0.0-beta.450 (fixed in 4.0.0-beta.451 and above) CVE-2025-64419 - < 4.0.0-beta.436 (Fixed with 4.0.0-beta.445 or higher) CVE-2025-64420, CVE-2025-64424 - <= 4.0.0-beta.434 (Fixed status is unclear) CVE-2025-59156, CVE-2025-59157, CVE-2025-59158 - <= 4.0.0-beta.420.6 (fixed in 4.0.0-beta.420.7)
Source: Sensis
According to data from attack surface management platform Censys, as of January 8, 2026, there were approximately 52,890 public Coolify hosts, with the majority located in Germany (15,000), the United States (9,800), France (8,000), Brazil (4,200), and Finland (3,400).
Although there is no evidence that these flaws have been exploited in the wild, it is important for users to consider their severity and act quickly to apply fixes as soon as possible.
Source link
