CVE-2025-64424 is a command injection vulnerability identified in Coolify, an open-source, self-hostable platform used for managing servers, applications, and databases. The flaw exists in the git source input fields of a resource, where input is improperly sanitized, allowing special command elements to be injected and executed. This vulnerability is classified under CWE-77, indicating improper neutralization of special elements used in commands. A low-privileged user with member-level access can exploit this flaw to execute arbitrary system commands with root privileges on the Coolify instance, leading to full system compromise. The vulnerability affects all Coolify versions up to and including 4.0.0-beta.434. The CVSS 4.0 base score is 9.4, reflecting critical severity due to network attack vector (AV:N), low attack complexity (AC:L), no required authentication (AT:N), no user interaction (UI:N), and high impact on confidentiality, integrity, and availability (VC:H/VI:H/VA:H). No public exploits or patches are currently available, increasing the urgency for organizations to implement interim mitigations. The root cause is insufficient input validation and sanitization in the git source input fields, allowing command injection. This vulnerability could be leveraged to gain persistent root access, deploy malware, exfiltrate sensitive data, or disrupt services. Given Coolify’s role in managing critical infrastructure components, exploitation could have cascading effects on dependent applications and services.

For European organizations, this vulnerability poses a significant risk due to the potential for complete system takeover with root privileges. Organizations using Coolify to manage production servers, databases, or applications could face data breaches, service outages, and unauthorized access to sensitive information. The ability for a low-privileged user to escalate privileges to root means insider threats or compromised accounts could lead to rapid lateral movement and persistent footholds within networks. The impact extends to cloud environments and hybrid infrastructures where Coolify is deployed for orchestration and automation. Disruption of these management tools can lead to downtime, loss of business continuity, and reputational damage. Additionally, regulatory compliance risks arise if personal or sensitive data is exposed or systems are compromised, especially under GDPR requirements. The lack of a patch at the time of disclosure means organizations must rely on compensating controls to mitigate risk until an official fix is released.

1. Immediately restrict access to Coolify management interfaces to trusted administrators only, using network segmentation and firewall rules. 2. Enforce strict role-based access control (RBAC) to limit membership privileges and reduce the number of users with git source input capabilities. 3. Monitor logs and system behavior for unusual command executions or privilege escalations, employing endpoint detection and response (EDR) tools. 4. Disable or restrict git source input fields if possible until a patch is available. 5. Regularly audit Coolify instances for unauthorized changes or suspicious activity. 6. Stay informed on vendor advisories and apply patches promptly once released. 7. Consider deploying Coolify instances in isolated environments or containers to limit blast radius. 8. Implement multi-factor authentication (MFA) for all users to reduce risk of account compromise. 9. Conduct internal penetration testing focusing on command injection vectors in Coolify. 10. Educate users about the risks of command injection and the importance of secure input handling.