CVE-2025-66211 is an OS command injection vulnerability classified under CWE-78 affecting coollabsio's Coolify, an open-source, self-hostable platform for managing servers, applications, and databases. The vulnerability exists in versions prior to 4.0.0-beta.451 and stems from improper neutralization of special elements in PostgreSQL initialization script filenames. Specifically, when users with application or service management permissions provide PostgreSQL init script filenames, these inputs are passed directly to shell commands without adequate validation or sanitization. This allows an attacker with authenticated access and limited privileges within the application to inject arbitrary shell commands, which are executed with root privileges on the managed servers. The vulnerability does not require user interaction and can be exploited remotely over the network, making it highly dangerous. The CVSS 4.0 score of 9.4 reflects its critical severity, with high impact on confidentiality, integrity, and availability, and low attack complexity. The flaw enables full remote code execution, potentially compromising entire server environments managed by Coolify. The issue was publicly disclosed on December 23, 2025, and fixed in version 4.0.0-beta.451. No known exploits have been reported in the wild yet, but the vulnerability's nature and ease of exploitation make it a prime target for attackers once weaponized. Organizations using Coolify should prioritize upgrading to the patched version and review access controls to limit exposure.

For European organizations, the impact of CVE-2025-66211 can be severe. Coolify is used to manage critical infrastructure including servers, applications, and databases; exploitation could lead to full system compromise, data breaches, service disruption, and lateral movement within networks. The ability to execute arbitrary commands as root means attackers can install malware, exfiltrate sensitive data, disrupt services, or pivot to other systems. This could affect sectors reliant on Coolify for DevOps and infrastructure management, including finance, healthcare, government, and technology companies. Given the criticality of root-level access, the vulnerability threatens confidentiality, integrity, and availability of systems. The lack of required user interaction and low complexity of exploitation increase the risk of rapid compromise. Additionally, organizations subject to strict data protection regulations such as GDPR face compliance and reputational risks if exploited. The absence of known exploits in the wild currently provides a window for proactive mitigation, but the threat landscape may evolve quickly.

1. Immediately upgrade all Coolify instances to version 4.0.0-beta.451 or later, where the vulnerability is patched. 2. Restrict application/service management permissions to trusted administrators only, minimizing the number of users who can provide PostgreSQL init script filenames. 3. Implement strict input validation and sanitization on any user-supplied filenames or parameters related to PostgreSQL initialization scripts, even beyond the patched version, as a defense-in-depth measure. 4. Monitor logs for unusual command execution patterns or unexpected root-level activities on managed servers. 5. Employ network segmentation to isolate critical infrastructure managed by Coolify, limiting potential lateral movement if compromised. 6. Use multi-factor authentication (MFA) for all administrative access to Coolify to reduce risk of credential compromise. 7. Regularly audit and review user permissions within Coolify to ensure least privilege principles are enforced. 8. Consider deploying runtime application self-protection (RASP) or endpoint detection and response (EDR) tools to detect and block suspicious command injection attempts. 9. Maintain up-to-date backups of critical systems managed by Coolify to enable recovery in case of compromise. 10. Stay informed about any emerging exploits or advisories related to this CVE to respond promptly.