CVE-2025-66213 is an OS command injection vulnerability classified under CWE-78 affecting Coolify, an open-source, self-hostable platform for managing servers, applications, and databases. The vulnerability exists in versions prior to 4.0.0-beta.451 within the File Storage Directory Mount Path functionality. Specifically, the parameter file_storage_directory_source is incorporated directly into shell commands without proper input validation or sanitization. This improper neutralization of special elements allows an authenticated user with application or service management permissions to inject arbitrary shell commands. Because these commands execute with root privileges on the managed servers, an attacker can achieve full remote code execution, compromising the entire host system. The vulnerability does not require user interaction beyond authentication, and the attack complexity is low due to the direct injection vector. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no user interaction, and privileges required at the application/service management level, with high impact on confidentiality, integrity, and availability. The flaw was publicly disclosed on December 23, 2025, and patched in version 4.0.0-beta.451. No known exploits have been observed in the wild yet, but the critical nature of the vulnerability demands immediate remediation. This vulnerability poses a significant risk to environments relying on Coolify for infrastructure management, especially where multiple servers are managed centrally.

The impact of CVE-2025-66213 is severe for organizations using vulnerable versions of Coolify. Exploitation leads to full remote code execution with root privileges on managed servers, allowing attackers to compromise confidentiality by accessing sensitive data, integrity by modifying or deleting data and configurations, and availability by disrupting services or deploying ransomware. Since Coolify is used to manage multiple servers and applications, a single exploited instance could lead to widespread compromise across an organization's infrastructure. The elevated privileges mean attackers can create persistent backdoors, move laterally within networks, and potentially escalate attacks to critical business systems. This vulnerability threatens organizations' operational continuity, data security, and compliance posture, especially in environments where Coolify is deployed in production or critical infrastructure management roles.

To mitigate CVE-2025-66213, organizations should immediately upgrade Coolify to version 4.0.0-beta.451 or later, where the vulnerability is patched. Until the upgrade is applied, restrict access to the Coolify management interface to trusted administrators only, enforcing strict role-based access controls to limit users with application or service management permissions. Implement network segmentation and firewall rules to limit exposure of the Coolify management endpoints. Monitor logs for unusual command execution or privilege escalation attempts. Employ runtime application self-protection (RASP) or endpoint detection and response (EDR) solutions to detect anomalous shell command executions. Conduct thorough audits of server configurations and access permissions to ensure no unauthorized changes have occurred. Additionally, consider isolating Coolify-managed servers in controlled environments to reduce blast radius in case of compromise. Finally, educate administrators about the risks of command injection vulnerabilities and the importance of timely patching.