CVE-2025-66211 is an OS command injection vulnerability classified under CWE-78 that affects Coolify, an open-source, self-hostable platform used for managing servers, applications, and databases. The vulnerability arises from improper neutralization of special characters in PostgreSQL initialization script filenames. Specifically, Coolify versions prior to 4.0.0-beta.451 pass these filenames directly into shell commands without adequate validation or sanitization, allowing an authenticated user with application or service management permissions to inject arbitrary shell commands. Because these commands execute with root privileges on the managed servers, an attacker can achieve full remote code execution, compromising confidentiality, integrity, and availability of the affected systems. The vulnerability does not require user interaction beyond authentication, and the attack vector is network-based with low complexity. The CVSS 4.0 score of 9.4 reflects the critical nature of this flaw, with high impact on all security properties and high exploitability. Although no known exploits are currently reported in the wild, the severity and ease of exploitation make this a significant threat. The vulnerability was publicly disclosed on December 23, 2025, with a fix implemented in version 4.0.0-beta.451. Organizations using Coolify to manage PostgreSQL servers should prioritize patching to prevent potential compromise.

For European organizations, this vulnerability poses a severe risk due to the potential for full system compromise on managed servers. Attackers exploiting this flaw can gain root-level access, enabling them to steal sensitive data, disrupt services, deploy ransomware, or pivot to other internal systems. Given the widespread use of PostgreSQL in enterprise environments and the growing adoption of open-source management tools like Coolify, the attack surface is significant. Critical infrastructure providers, financial institutions, and cloud service operators using Coolify could face operational disruptions and data breaches. The vulnerability's ability to bypass typical user-level restrictions and escalate privileges to root exacerbates the threat. Additionally, the lack of required user interaction beyond authentication means insider threats or compromised credentials could be leveraged easily. The impact extends beyond individual organizations, potentially affecting supply chains and service availability across sectors.

To mitigate this vulnerability, organizations should immediately upgrade Coolify installations to version 4.0.0-beta.451 or later, where the issue is fixed. Until patching is possible, restrict application and service management permissions to the minimum necessary users and implement strict access controls and monitoring on these accounts. Employ network segmentation to isolate management interfaces from general user networks and use multi-factor authentication to reduce the risk of credential compromise. Additionally, audit PostgreSQL initialization scripts and filenames to ensure no malicious content is present. Implement runtime monitoring and intrusion detection systems to detect anomalous command executions on managed servers. Regularly review logs for suspicious activity related to Coolify management operations. Finally, maintain an incident response plan tailored to potential root-level compromises to enable rapid containment and recovery.