CVE-2025-66213 is an OS command injection vulnerability classified under CWE-78 affecting Coolify, an open-source, self-hosted platform for managing servers, applications, and databases. The vulnerability arises from improper neutralization of special elements in the file_storage_directory_source parameter within the File Storage Directory Mount Path functionality. Specifically, this parameter is directly passed to shell commands without adequate sanitization or validation, allowing an authenticated user with application or service management permissions to inject arbitrary shell commands. These commands execute with root privileges on the underlying managed server, enabling full remote code execution (RCE). The vulnerability affects all versions prior to 4.0.0-beta.451, which includes the stable and beta releases before this patch. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no authentication required beyond management permissions (PR:L), no user interaction (UI:N), and high impacts on confidentiality, integrity, and availability (VC:H, VI:H, VA:H). Although no public exploits have been reported, the vulnerability's nature and ease of exploitation make it a critical threat. Attackers gaining root access can compromise the entire server environment, exfiltrate data, disrupt services, or pivot to other network assets. The vulnerability underscores the risk of insufficient input validation in administrative interfaces that interact with system-level commands.

For European organizations, this vulnerability poses a severe risk, especially those relying on Coolify for managing critical infrastructure, applications, or databases. Successful exploitation results in complete system compromise with root privileges, threatening confidentiality through data theft, integrity by unauthorized modifications, and availability via service disruption or destruction. Organizations in sectors such as finance, healthcare, government, and critical infrastructure, which often deploy self-hosted management tools, could face significant operational and reputational damage. The ability to execute arbitrary commands remotely without additional user interaction increases the likelihood of rapid exploitation once the vulnerability is known. Additionally, the breach could serve as a foothold for lateral movement within corporate networks, amplifying the impact. Given the open-source nature of Coolify, organizations using customized or older versions are particularly vulnerable if patches are not applied promptly. The lack of known exploits in the wild currently provides a window for proactive mitigation, but the critical severity demands urgent attention.

European organizations should immediately upgrade all Coolify instances to version 4.0.0-beta.451 or later, where the vulnerability is patched. Until upgrades are completed, restrict application and service management permissions strictly to trusted and vetted personnel to minimize the risk of insider or compromised user exploitation. Implement network segmentation to isolate Coolify management interfaces from untrusted networks and enforce strong authentication and access controls. Employ application-layer firewalls or intrusion detection systems to monitor for anomalous command injection patterns targeting the file_storage_directory_source parameter. Conduct thorough audits of existing Coolify deployments to identify outdated versions and unauthorized access. Additionally, consider deploying runtime application self-protection (RASP) or endpoint detection and response (EDR) solutions to detect and block suspicious command execution attempts. Regularly review and sanitize all inputs that interact with system commands in custom configurations or integrations. Finally, maintain an incident response plan tailored to potential RCE scenarios to ensure rapid containment and recovery.