CVE-2025-64424 is a critical command injection vulnerability identified in Coolify, an open-source, self-hostable platform used for managing servers, applications, and databases. The vulnerability exists in versions up to and including 4.0.0-beta.434 and is located specifically in the git source input fields of a resource. Due to improper neutralization of special elements in these input fields (classified under CWE-77), a low-privileged user with member-level access can inject malicious commands that are executed with root privileges on the underlying system hosting the Coolify instance. This means an attacker can fully compromise the host system, leading to complete loss of confidentiality, integrity, and availability. The vulnerability requires no user interaction and no higher privilege than member access, making it highly exploitable. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no authentication required (AT:N), no user interaction (UI:N), and high impact on all security properties (VC:H, VI:H, VA:H). As of the publication date, no patch or fix has been released, increasing the urgency for organizations to implement compensating controls. Coolify’s role in managing critical infrastructure components means exploitation could lead to widespread disruption, data theft, or persistent backdoors. The lack of known exploits in the wild does not diminish the severity given the ease of exploitation and potential impact.

For European organizations, the impact of this vulnerability is severe. Coolify is used to manage critical infrastructure such as servers, applications, and databases, often in cloud or hybrid environments. Exploitation could allow attackers to gain root access, leading to full system compromise, data breaches, service disruption, and lateral movement within networks. This could affect confidentiality of sensitive data, integrity of applications and configurations, and availability of services. Organizations relying on Coolify for multi-tenant or production environments face risks of unauthorized access and control. The vulnerability could also be leveraged to deploy ransomware or persistent malware. Given the criticality of the flaw and the absence of a patch, European entities must assume a high risk posture, especially those in sectors like finance, healthcare, and critical infrastructure where Coolify might be deployed. The potential for supply chain attacks also exists if Coolify-managed environments are used to deploy software to customers or partners.

1. Immediately restrict member-level access to trusted personnel only, minimizing the number of users who can input git source fields. 2. Isolate Coolify instances in segmented network zones with strict firewall rules to limit exposure. 3. Monitor system logs and command execution traces for unusual or unauthorized commands originating from Coolify. 4. Employ host-based intrusion detection systems (HIDS) to detect root-level command execution anomalies. 5. Consider temporarily disabling git source input functionality or replacing Coolify with alternative tools until a patch is available. 6. Use containerization or virtual machines to sandbox Coolify instances, limiting root-level impact on host systems. 7. Regularly review and audit Coolify configurations and user permissions. 8. Stay updated with vendor announcements for patches or mitigations and apply them promptly once available. 9. Implement multi-factor authentication and strong access controls around Coolify management interfaces. 10. Educate administrators and developers about the risks of command injection and secure input validation practices.