CVE-2025-66211 is an OS command injection vulnerability identified in Coolify, an open-source, self-hostable platform for managing servers, applications, and databases. The flaw exists in versions prior to 4.0.0-beta.451 and arises from improper neutralization of special elements in PostgreSQL initialization script filenames. Specifically, these filenames are incorporated into shell commands without adequate validation or sanitization, allowing an authenticated user with application or service management privileges to inject arbitrary shell commands. Because these commands execute with root privileges on the managed servers, an attacker can gain full remote code execution capabilities, compromising the entire system. The vulnerability is classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command) and has a CVSS 4.0 base score of 9.4, reflecting its critical severity. Exploitation requires authentication but no user interaction and can be performed remotely with low complexity. The vulnerability was publicly disclosed on December 23, 2025, and fixed in Coolify version 4.0.0-beta.451. No known exploits are currently observed in the wild, but the potential impact is severe given the root-level access granted upon exploitation.

The impact of CVE-2025-66211 is severe for organizations using vulnerable versions of Coolify. Successful exploitation allows attackers to execute arbitrary commands as root on managed servers, leading to complete system compromise. This can result in unauthorized data access or modification, disruption of services, deployment of malware or ransomware, and lateral movement within the network. Since Coolify is used to manage critical infrastructure components such as servers, applications, and databases, the compromise can cascade to affect multiple systems and services. The vulnerability threatens confidentiality, integrity, and availability of organizational assets. Additionally, the ease of exploitation by any authenticated user with management permissions increases the risk, especially in environments with multiple administrators or less stringent access controls. Organizations relying on Coolify for production environments face significant operational and reputational risks if this vulnerability is exploited.

To mitigate CVE-2025-66211, organizations should immediately upgrade Coolify to version 4.0.0-beta.451 or later, where the vulnerability is patched. Until the upgrade is applied, restrict application and service management permissions strictly to trusted and vetted users to reduce the attack surface. Implement robust access controls and monitor for unusual command execution or privilege escalation activities on managed servers. Employ network segmentation to isolate management interfaces and limit exposure to untrusted networks. Additionally, review and sanitize any user-supplied input related to PostgreSQL initialization scripts or other shell-invoked parameters. Consider deploying runtime application self-protection (RASP) or host-based intrusion detection systems (HIDS) to detect and block suspicious command injection attempts. Regularly audit Coolify configurations and logs for signs of exploitation. Finally, educate administrators about the risks of command injection vulnerabilities and the importance of applying security updates promptly.