CVE-2025-66209 is an OS command injection vulnerability classified under CWE-78, discovered in Coolify, an open-source, self-hostable platform for managing servers, applications, and databases. The flaw exists in the Database Backup feature of Coolify versions earlier than 4.0.0-beta.451. Specifically, database names used during backup operations are directly incorporated into shell commands without proper sanitization or escaping of special characters. This improper neutralization allows an authenticated user with application or service management permissions to inject arbitrary shell commands. Because these commands execute with root privileges on the managed servers, an attacker can achieve full remote code execution, compromising confidentiality, integrity, and availability of the systems. The vulnerability requires authentication but no additional user interaction, making it easier to exploit by insiders or compromised accounts. The vulnerability was publicly disclosed on December 23, 2025, with a maximum CVSS v3.1 score of 10.0, reflecting its critical nature. Although no active exploits have been reported, the risk is high due to the severity and ease of exploitation. The issue is resolved in Coolify version 4.0.0-beta.451, which implements proper input sanitization and command handling to prevent injection.

The impact of CVE-2025-66209 is severe and wide-ranging. Successful exploitation grants attackers root-level remote code execution on managed servers, enabling them to fully compromise affected systems. This can lead to unauthorized data access, data destruction, installation of persistent backdoors, lateral movement within networks, and disruption of critical services. Organizations relying on Coolify for server and database management face risks to their operational continuity, data confidentiality, and system integrity. Given Coolify’s role in managing multiple applications and databases, a single exploited instance could cascade into broader network compromises. The vulnerability’s requirement for authentication limits exposure to some extent, but insider threats or compromised credentials significantly increase risk. The lack of known exploits in the wild currently reduces immediate threat but does not diminish the urgency for remediation. Organizations that delay patching or continue using vulnerable versions expose themselves to potentially devastating attacks.

To mitigate CVE-2025-66209, organizations should immediately upgrade Coolify to version 4.0.0-beta.451 or later, where the vulnerability is patched. Until upgrade is possible, restrict application and service management permissions strictly to trusted administrators to reduce the risk of exploitation. Implement strong authentication mechanisms, including multi-factor authentication, to protect management accounts. Monitor logs and audit trails for unusual command execution or backup operations that could indicate exploitation attempts. Consider isolating Coolify-managed servers within segmented network zones to limit lateral movement if compromise occurs. Additionally, review and sanitize all user inputs related to database names or backup operations in any custom scripts or integrations. Employ runtime application self-protection (RASP) or endpoint detection and response (EDR) solutions to detect anomalous command execution patterns. Finally, maintain regular backups and incident response plans to recover quickly from potential breaches.