Coolify, an open-source platform designed for self-hosting applications and infrastructure management, has been found to contain 11 critical security vulnerabilities, primarily command injection flaws, that allow authenticated users to execute arbitrary commands on the host system. These vulnerabilities span multiple functionalities including database backup and import (CVE-2025-66209, CVE-2025-66210), PostgreSQL initialization scripts (CVE-2025-66211), dynamic proxy configuration (CVE-2025-66212), file storage directory mounts (CVE-2025-66213), and Docker Compose file handling (CVE-2025-64419). Additionally, an information disclosure vulnerability (CVE-2025-64420) exposes the root user's private SSH key to low-privileged users, enabling unauthorized root access. Other flaws include command injection via git source inputs and operating system command injection through Docker Compose directives and Git repository fields (CVE-2025-64424, CVE-2025-59156, CVE-2025-59157). A stored cross-site scripting vulnerability (CVE-2025-59158) allows low-privileged users to execute scripts in an administrator’s browser context. Most of these vulnerabilities have CVSS scores of 9.4 to 10.0, indicating critical severity. Exploitation requires authentication but can lead to full server compromise, container escape, and root-level command execution. The affected versions are mostly beta releases prior to 4.0.0-beta.451, with patches available for many but some fixes remain unclear. According to Censys data, approximately 52,890 Coolify instances are exposed worldwide, with a significant number in Europe, especially Germany, France, and Finland. While no active exploitation has been observed, the critical nature of these flaws and the widespread exposure underscore the urgent need for remediation.

For European organizations, the impact of these vulnerabilities is severe. Coolify is used for self-hosting and managing containerized applications and infrastructure, meaning a successful exploit can lead to full server and infrastructure compromise. Attackers gaining root access can exfiltrate sensitive data, disrupt services, deploy ransomware, or use the compromised servers as pivot points for lateral movement within networks. The exposure of root SSH keys further exacerbates the risk by allowing persistent unauthorized access. Given the number of exposed instances in Germany, France, and Finland, organizations in these countries are at heightened risk. Critical infrastructure providers, SMEs relying on self-hosted platforms, and development environments using Coolify could face operational downtime, data breaches, and reputational damage. The ease of exploitation for authenticated users means insider threats or compromised credentials could rapidly escalate into full system takeovers. The stored XSS vulnerability also poses risks of session hijacking or administrative account compromise. Overall, the threat undermines confidentiality, integrity, and availability of affected systems, with potential cascading effects on business continuity and compliance obligations under GDPR and other regulations.

Organizations should immediately identify and inventory all Coolify instances in their environment. They must upgrade affected Coolify versions to the latest patched releases (at least 4.0.0-beta.451 or newer) where fixes are confirmed. For versions where fixes are unclear, consider disabling vulnerable functionalities or isolating the instances until patches are available. Restrict access to Coolify management interfaces to trusted networks and enforce strong authentication mechanisms, including multi-factor authentication. Regularly audit user permissions to minimize the number of users with database backup, server management, or application management privileges. Monitor logs for unusual command execution or access patterns indicative of exploitation attempts. Employ network segmentation to limit the impact of a compromised Coolify server. Consider deploying host-based intrusion detection systems to detect anomalous root-level command executions. For exposed instances, conduct vulnerability scanning and penetration testing to verify remediation. Educate administrators about the risks of these vulnerabilities and the importance of timely patching. Finally, implement robust backup and incident response plans to recover quickly from potential compromises.