CVE-2025-66212 is an OS command injection vulnerability classified under CWE-78 affecting Coolify, an open-source, self-hostable platform used for managing servers, applications, and databases. The vulnerability exists in versions prior to 4.0.0-beta.451 and stems from improper neutralization of special characters in proxy configuration filenames. Specifically, when Coolify processes dynamic proxy configuration filenames, these filenames are passed directly into shell commands without adequate escaping or sanitization. This flaw allows authenticated users who have application or service management permissions to inject arbitrary shell commands. Because these commands execute with root privileges on the managed servers, an attacker can achieve full remote code execution, potentially compromising the entire system. The vulnerability does not require user interaction beyond authentication and has a low attack complexity, making exploitation feasible for insiders or attackers who have obtained management credentials. The CVSS 4.0 score of 9.4 reflects the critical nature of this vulnerability, highlighting its impact on confidentiality, integrity, and availability, as well as the wide scope of affected systems. The issue was publicly disclosed on December 23, 2025, and fixed in version 4.0.0-beta.451. No public exploits have been reported yet, but the risk remains high due to the ease of exploitation and the level of access required.

For European organizations, the impact of CVE-2025-66212 can be severe. Organizations using Coolify to manage critical infrastructure, applications, or databases risk full system compromise if attackers exploit this vulnerability. Attackers could gain root-level access, leading to data breaches, service disruptions, or deployment of persistent malware. Confidentiality of sensitive data could be lost, integrity of applications and configurations compromised, and availability of services disrupted. This is particularly concerning for sectors such as finance, healthcare, government, and critical infrastructure operators in Europe, where data protection regulations like GDPR impose strict requirements on data security. Additionally, the ability to execute arbitrary commands as root could facilitate lateral movement within networks, increasing the potential scale of attacks. The lack of known exploits in the wild provides a window for mitigation, but the high severity demands immediate attention to prevent potential targeted attacks.

European organizations should immediately upgrade all Coolify instances to version 4.0.0-beta.451 or later to remediate this vulnerability. Until upgrades can be applied, restrict application/service management permissions to trusted administrators only, minimizing the number of users who can exploit this flaw. Implement strict access controls and monitor logs for unusual proxy configuration filename changes or suspicious shell command executions. Employ network segmentation to isolate Coolify-managed servers from critical network segments. Use host-based intrusion detection systems (HIDS) to detect anomalous root-level command executions. Regularly audit and rotate credentials for users with elevated permissions. Additionally, consider deploying runtime application self-protection (RASP) or endpoint detection and response (EDR) solutions to detect and block exploitation attempts. Finally, maintain an incident response plan tailored to potential Coolify compromises to enable rapid containment and recovery.