CVE-2025-66209 Overview
CVE-2025-66209 is an authenticated command injection vulnerability [CWE-78] in Coolify, an open-source self-hostable platform for managing servers, applications, and databases. The flaw resides in the Database Backup functionality, where database names are passed directly to shell commands without sanitization. Authenticated users with application or service management permissions can inject arbitrary shell commands that execute as root on managed servers. Versions prior to 4.0.0-beta.451 are affected. Coollabs released version 4.0.0-beta.451 to remediate the issue.
Critical Impact
Authenticated attackers with application or service management permissions can achieve full remote code execution as root on every server managed by the Coolify instance, leading to complete compromise of the hosting infrastructure.
Affected Products
- Coollabs Coolify versions prior to 4.0.0-beta.451
- All 4.0.0 beta releases from beta18 through beta450
- Self-hosted Coolify deployments managing remote servers via SSH
Discovery Timeline
- 2025-12-23 - CVE-2025-66209 published to NVD
- 2026-03-17 - Last updated in NVD database
Technical Details for CVE-2025-66209
Vulnerability Analysis
The vulnerability lives in the Database Backup workflow of Coolify. When a backup operation runs, Coolify constructs a shell command that incorporates the user-supplied database name. The application concatenates that value directly into the shell invocation without escaping or validating shell metacharacters. Because Coolify executes backup operations on managed servers with elevated privileges, the injected commands run as root. This converts a low-privilege application management action into full remote code execution across the entire fleet of servers under Coolify's control. The EPSS percentile of 88.472 reflects elevated exploitation interest relative to the broader CVE corpus.
Root Cause
The root cause is improper neutralization of special elements used in an OS command [CWE-78]. Database name strings are interpolated into shell commands rather than passed as arguments to a parameterized execution function. Shell metacharacters such as ;, |, &&, $(), and backticks are not stripped, escaped, or rejected before the command reaches the shell.
Attack Vector
Exploitation requires an authenticated session with permission to manage applications or services in Coolify. The attacker creates or modifies a database resource and supplies a database name containing shell metacharacters followed by an arbitrary command payload. When the backup routine fires, the injected payload is executed by the shell on the managed server under the root account. Network reachability to the Coolify web interface is sufficient; no user interaction is required. Verified proof-of-concept material is published in the public PoC repository and additional context appears in the GHSA-vm5p-43qh-7pmq advisory.
// Code example not provided — see the referenced security advisory and PoC repository for technical details.
Detection Methods for CVE-2025-66209
Indicators of Compromise
- Database resources in Coolify whose configured names contain shell metacharacters such as ;, |, &, $(, or backticks.
- Unexpected root-owned processes spawned by the Coolify agent or backup scheduler on managed servers.
- Outbound network connections from managed servers to unfamiliar hosts immediately following scheduled or manual backup jobs.
- New cron entries, SSH authorized keys, or systemd units written to managed servers shortly after a database backup event.
Detection Strategies
- Audit the Coolify database inventory for non-conforming database name strings and reject anything outside an alphanumeric and underscore pattern.
- Correlate Coolify backup job execution logs with shell process telemetry from managed servers to identify commands that do not match the expected pg_dump, mysqldump, or mongodump invocations.
- Monitor auth.log and process ancestry on managed hosts for child processes of the Coolify backup runner that drop into interpreters such as sh, bash, python, or curl.
Monitoring Recommendations
- Forward Coolify application logs, agent logs, and managed-host process events to a centralized logging or SIEM platform for behavioral baselining.
- Alert on any modification to user role assignments that grants application or service management permissions, especially to recently created accounts.
- Track outbound traffic from managed servers to detect reverse shells or staging downloads initiated through backup-time command injection.
How to Mitigate CVE-2025-66209
Immediate Actions Required
- Upgrade all Coolify instances to version 4.0.0-beta.451 or later as published in the v4.0.0-beta.451 release notes.
- Review and revoke application and service management permissions for any account that does not require them, applying least privilege to the Coolify role model.
- Inspect existing database resources for malicious names and remove or rename any entries containing shell metacharacters before triggering further backups.
- Rotate SSH keys, API tokens, and credentials stored on managed servers if exploitation is suspected.
Patch Information
Coollabs fixed CVE-2025-66209 in Coolify 4.0.0-beta.451. The fix is tracked in pull request #7375 and documented in the GHSA-vm5p-43qh-7pmq advisory. Operators self-hosting Coolify should follow the standard upgrade procedure to pull the patched container image and restart the stack.
Workarounds
- Restrict the Coolify web interface to trusted networks or place it behind a VPN to reduce exposure to authenticated attackers.
- Temporarily disable the Database Backup functionality until the patched version is deployed.
- Limit account creation and require multi-factor authentication for all users granted application or service management permissions.
- Enforce strict naming policies for database resources, allowing only [A-Za-z0-9_] characters until the upgrade is complete.
# Upgrade Coolify to the patched release
curl -fsSL https://cdn.coollabs.io/coolify/install.sh | sudo bash -s -- --version v4.0.0-beta.451
# Verify the running version after upgrade
docker inspect coolify --format '{{.Config.Image}}'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

