CVE-2025-66213
Published: 23 December 2025
Summary
CVE-2025-66213 is a high-severity OS Command Injection (CWE-78) vulnerability in Coollabs Coolify. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 45.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates command injection by requiring validation and sanitization of inputs like the file_storage_directory_source parameter before passing to shell commands.
Ensures timely flaw remediation through patching to version 4.0.0-beta.451 or later, which fixes the unsanitized input vulnerability.
Enforces least privilege on Coolify processes to limit damage from injected commands, preventing root-level execution even if injection occurs.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authenticated command injection vulnerability in a remotely accessible self-hosted management tool enables exploitation of a public-facing application (T1190) to achieve remote code execution via direct injection into Unix shell commands (T1059.004).
NVD Description
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.451, an authenticated command injection vulnerability in the File Storage Directory Mount Path functionality allows users with application/service management permissions to execute arbitrary commands…
more
as root on managed servers. The file_storage_directory_source parameter is passed directly to shell commands without proper sanitization, enabling full remote code execution on the host system. Version 4.0.0-beta.451 fixes the issue.
Deeper analysisAI
CVE-2025-66213 is an authenticated command injection vulnerability in Coolify, an open-source and self-hostable tool for managing servers, applications, and databases. The issue affects versions prior to 4.0.0-beta.451 and resides in the File Storage Directory Mount Path functionality, where the file_storage_directory_source parameter is passed directly to shell commands without proper sanitization. This flaw, classified under CWE-78, enables attackers to inject and execute arbitrary commands.
Users with application or service management permissions can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation grants full remote code execution on the host system with root privileges, potentially allowing complete compromise of managed servers, including data exfiltration, persistence, or further lateral movement.
Official advisories and the project maintainers recommend updating to version 4.0.0-beta.451 or later, which addresses the issue through proper input sanitization. Relevant GitHub resources include the security advisory GHSA-cj2c-9jx8-j427, the fixing pull request at coolify/pull/7375, and the release tag v4.0.0-beta.451.
Details
- CWE(s)