CVE-2025-66210 is an OS command injection vulnerability classified under CWE-78, found in the open-source, self-hostable server management tool Coolify by coollabsio. The flaw exists in the Database Import functionality prior to version 4.0.0-beta.451. Specifically, database names provided during import operations are directly interpolated into shell commands without proper sanitization or neutralization of special characters. This improper handling allows an authenticated user with application or service management permissions to inject arbitrary shell commands. Because these commands are executed with root privileges on the managed servers, an attacker can achieve full remote code execution, compromising confidentiality, integrity, and availability of the affected systems. The vulnerability requires authentication but no additional user interaction, and the attack surface includes all managed servers under Coolify control. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H) reflects network attack vector, low attack complexity, no user interaction, and high impact on all security properties. The vulnerability was reserved on 2025-11-24 and published on 2025-12-23, with no known exploits reported yet. The fix involves sanitizing inputs to shell commands and was introduced in version 4.0.0-beta.451.

The vulnerability allows attackers with limited authenticated access to escalate privileges to root on managed servers, enabling full control over critical infrastructure components. This can lead to data theft, destruction, or manipulation, disruption of services, and lateral movement within organizational networks. Since Coolify is used to manage servers, applications, and databases, compromise could affect multiple layers of IT infrastructure simultaneously. The ability to execute arbitrary commands as root means attackers can install persistent backdoors, exfiltrate sensitive data, or disrupt operations at will. Organizations relying on Coolify for production environments face risks of severe operational downtime, regulatory non-compliance due to data breaches, and reputational damage. The absence of required user interaction and low attack complexity increases the likelihood of exploitation once credentials are obtained or compromised.

Organizations should immediately upgrade all Coolify instances to version 4.0.0-beta.451 or later, where the vulnerability is patched. Until upgrade is possible, restrict application/service management permissions to trusted personnel only and monitor for unusual command execution or privilege escalation attempts on managed servers. Implement network segmentation to limit access to Coolify management interfaces and enforce strong authentication mechanisms, including multi-factor authentication, to reduce risk of credential compromise. Additionally, review and sanitize all inputs related to database import operations manually if custom scripts or integrations are used. Employ host-based intrusion detection systems (HIDS) to detect anomalous root-level command executions. Regularly audit logs for suspicious activity and consider temporary disabling the Database Import functionality if not essential. Finally, maintain an incident response plan tailored to potential Coolify compromise scenarios.