CVE-2025-66212 is an OS command injection vulnerability classified under CWE-78 affecting Coolify, an open-source, self-hostable tool designed for managing servers, applications, and databases. The vulnerability arises from improper neutralization of special elements in proxy configuration filenames, which are passed unsanitized to shell commands. Specifically, in versions prior to 4.0.0-beta.451, users with application or service management permissions can manipulate the dynamic proxy configuration filename parameter to inject arbitrary shell commands. Because these commands execute with root privileges on managed servers, an attacker can achieve full remote code execution, compromising confidentiality, integrity, and availability of the affected systems. The vulnerability does not require user interaction but does require authentication with elevated privileges, which limits exploitation to authorized users but significantly raises the risk if credentials are compromised or insider threats exist. The CVSS 4.0 score of 9.4 reflects the critical nature of this flaw, highlighting its network attack vector, low attack complexity, no user interaction, and high impact on all security properties. No known exploits are currently reported in the wild, but the severity and ease of exploitation make it a high-priority patch. The fix was introduced in version 4.0.0-beta.451 by properly escaping or sanitizing proxy configuration filenames before shell execution, preventing injection. Organizations using Coolify for server orchestration, particularly those exposing management interfaces or using dynamic proxy configurations, must prioritize upgrading to the patched version to mitigate risk.

The impact on European organizations using Coolify is substantial. Successful exploitation grants attackers root-level remote code execution on managed servers, enabling them to fully control critical infrastructure components, manipulate or exfiltrate sensitive data, disrupt services, or pivot within networks. This can lead to severe operational disruptions, data breaches, and compliance violations under regulations like GDPR. Since Coolify manages servers, applications, and databases, the compromise can cascade, affecting multiple layers of IT infrastructure. The requirement for authenticated access somewhat limits exposure but does not eliminate risk, especially in environments with weak access controls or compromised credentials. European organizations with internet-facing Coolify deployments or those using it in multi-tenant or cloud environments are particularly vulnerable. The critical severity and high CVSS score indicate that the vulnerability could be exploited for impactful attacks, including ransomware deployment or espionage. The absence of known exploits in the wild suggests a window for proactive mitigation before widespread exploitation occurs.

1. Immediately upgrade all Coolify instances to version 4.0.0-beta.451 or later, where the vulnerability is patched. 2. Restrict application and service management permissions strictly to trusted administrators to reduce the attack surface. 3. Implement strong authentication mechanisms, such as multi-factor authentication (MFA), to protect management interfaces. 4. Audit and sanitize all proxy configuration filenames and inputs manually if upgrading is delayed, ensuring no special shell characters are allowed. 5. Monitor logs for unusual command execution or proxy configuration changes indicative of exploitation attempts. 6. Isolate Coolify management interfaces from public networks using network segmentation or VPNs to limit exposure. 7. Regularly review and rotate credentials associated with Coolify to prevent unauthorized access. 8. Conduct penetration testing focused on command injection vectors in proxy configuration handling. 9. Educate administrators about the risks of command injection and the importance of applying patches promptly. 10. Maintain an incident response plan to quickly contain and remediate any detected exploitation.