CVE-2025-66210 is an OS command injection vulnerability classified under CWE-78, discovered in Coolify, an open-source, self-hostable platform used for managing servers, applications, and databases. The vulnerability affects all versions prior to 4.0.0-beta.451. It arises from improper sanitization of database names used during the Database Import process. Specifically, these database names are directly passed to shell commands without neutralizing special characters or validating input, which allows an authenticated user with application or service management permissions to inject arbitrary OS commands. Because these commands execute with root privileges on the managed servers, an attacker can achieve full remote code execution, compromising confidentiality, integrity, and availability of the affected systems. The vulnerability requires no additional authentication beyond management permissions and no user interaction, making exploitation straightforward once access is gained. The CVSS 4.0 score of 9.4 indicates a critical severity, with network attack vector, low attack complexity, no user interaction, and high impact on all security properties. Although no public exploits are currently known, the potential for damage is significant, especially in environments where Coolify manages critical infrastructure or sensitive data. The issue was addressed in version 4.0.0-beta.451 by properly sanitizing inputs to prevent command injection.

For European organizations, the impact of this vulnerability can be severe. Organizations using Coolify to manage servers and databases risk full system compromise if an attacker gains management-level access. This can lead to unauthorized data access, data manipulation, service disruption, and potential lateral movement within networks. Critical sectors such as finance, healthcare, and government that rely on Coolify for deployment automation or database management could face operational outages and data breaches. The root-level execution capability means attackers can disable security controls, install persistent malware, or exfiltrate sensitive information. Given the ease of exploitation and high privileges involved, the vulnerability poses a significant threat to the confidentiality, integrity, and availability of affected systems. Additionally, the lack of known exploits in the wild does not reduce urgency, as the vulnerability is straightforward to exploit once access is obtained.

European organizations should immediately upgrade all Coolify instances to version 4.0.0-beta.451 or later to remediate the vulnerability. Until upgrades are completed, restrict application and service management permissions strictly to trusted administrators and implement strong authentication controls such as multi-factor authentication. Monitor and audit management activities for suspicious commands or unusual behavior. Employ network segmentation to isolate management interfaces from general user networks and the internet. Use host-based intrusion detection systems to detect anomalous command executions. Additionally, review and sanitize all user inputs related to database names or other parameters passed to shell commands. Conduct regular vulnerability assessments and penetration testing focused on management interfaces. Finally, maintain an incident response plan to quickly contain and remediate any potential exploitation.