CVE-2025-66212 is an OS command injection vulnerability classified under CWE-78 affecting Coolify, an open-source, self-hostable platform for managing servers, applications, and databases. The vulnerability exists in versions prior to 4.0.0-beta.451 within the handling of Dynamic Proxy Configuration Filenames. Specifically, the application passes proxy configuration filenames directly into shell commands without proper escaping or sanitization. This improper neutralization of special shell characters allows authenticated users with application or service management permissions to inject arbitrary OS commands. Because these commands execute with root privileges on the managed servers, an attacker can gain full remote code execution capabilities, compromising the entire system. The vulnerability does not require user interaction and has a low attack complexity, but it does require authentication with management permissions, which may limit exposure to some extent. The CVSS 4.0 base score of 9.4 indicates critical severity, with high impact on confidentiality, integrity, and availability. The flaw was publicly disclosed on December 23, 2025, and fixed in Coolify version 4.0.0-beta.451. No known exploits have been reported in the wild yet, but the nature of the vulnerability makes it a high priority for patching. Organizations using Coolify should immediately upgrade to the fixed version and review access controls to limit management permissions. Additionally, monitoring for suspicious command execution on managed servers is advised.

The impact of CVE-2025-66212 is severe for organizations using Coolify to manage their infrastructure. Successful exploitation allows attackers to execute arbitrary commands as root on managed servers, leading to complete system compromise. This can result in unauthorized data access, data modification or destruction, deployment of malware or ransomware, lateral movement within networks, and disruption of critical services. Because Coolify is used for managing servers, applications, and databases, attackers could manipulate configurations, steal sensitive credentials, or disrupt business operations. The vulnerability's exploitation requires only authenticated access with management permissions, which may be granted to multiple users in an organization, increasing the attack surface. The critical severity and root-level access mean that organizations face risks to confidentiality, integrity, and availability of their systems and data. If exploited in environments with sensitive or regulated data, this could also lead to compliance violations and reputational damage.

To mitigate CVE-2025-66212, organizations should immediately upgrade Coolify installations to version 4.0.0-beta.451 or later, where the vulnerability is patched. Until the upgrade is applied, restrict application and service management permissions to the minimum necessary users, enforcing strict access controls and multi-factor authentication to reduce the risk of unauthorized exploitation. Conduct thorough audits of user permissions and remove any unnecessary management privileges. Implement monitoring and alerting for unusual command execution or privilege escalation activities on managed servers. Consider isolating Coolify management interfaces behind VPNs or internal networks to limit exposure. Additionally, review proxy configuration filename inputs and sanitize or validate them at the application level if custom modifications exist. Regularly back up critical data and configurations to enable recovery in case of compromise. Finally, maintain an incident response plan tailored to potential command injection attacks to ensure rapid containment and remediation.