Cyber Resilience

CVE-2025-66213

CriticalPublic PoCRCE

Published: 23 December 2025

Published
23 December 2025
Modified
17 March 2026
KEV Added
Patch
CVSS Score v4 9.4 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0297 85.5th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-66213 is a critical-severity OS Command Injection (CWE-78) vulnerability in Coollabs Coolify. Its CVSS base score is 9.4 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 14.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-66213 is an authenticated command injection vulnerability in Coolify, an open-source and self-hostable tool for managing servers, applications, and databases. The issue affects versions prior to 4.0.0-beta.451 and resides in the File Storage Directory Mount Path functionality, where the file_storage_directory_source parameter is passed directly to shell commands without proper sanitization. This flaw, classified under CWE-78, enables attackers to inject and execute arbitrary commands.

Users with application or service management permissions can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation grants full remote code execution on the host system with root privileges, potentially allowing complete compromise of managed servers, including data exfiltration, persistence, or further lateral movement.

Official advisories and the project maintainers recommend updating to version 4.0.0-beta.451 or later, which addresses the issue through proper input sanitization. Relevant GitHub resources include the security advisory GHSA-cj2c-9jx8-j427, the fixing pull request at coolify/pull/7375, and the release tag v4.0.0-beta.451.

EU & UK References

Vulnerability details

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.451, an authenticated command injection vulnerability in the File Storage Directory Mount Path functionality allows users with application/service management permissions to execute arbitrary commands…

more

as root on managed servers. The file_storage_directory_source parameter is passed directly to shell commands without proper sanitization, enabling full remote code execution on the host system. Version 4.0.0-beta.451 fixes the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Authenticated command injection vulnerability in a remotely accessible self-hosted management tool enables exploitation of a public-facing application (T1190) to achieve remote code execution via direct injection into Unix shell commands (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-59157Same product: Coollabs Coolify
CVE-2025-66210Same product: Coollabs Coolify
CVE-2025-22606Same product: Coollabs Coolify
CVE-2025-66209Same product: Coollabs Coolify
CVE-2025-22605Same product: Coollabs Coolify
CVE-2025-66211Same product: Coollabs Coolify
CVE-2025-66212Same product: Coollabs Coolify
CVE-2025-59156Same product: Coollabs Coolify
CVE-2025-64419Same product: Coollabs Coolify
CVE-2025-34161Same product: Coollabs Coolify

Affected Assets

coollabs
coolify
4.0.0 · ≤ 4.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates command injection by requiring validation and sanitization of inputs like the file_storage_directory_source parameter before passing to shell commands.

prevent

Ensures timely flaw remediation through patching to version 4.0.0-beta.451 or later, which fixes the unsanitized input vulnerability.

prevent

Enforces least privilege on Coolify processes to limit damage from injected commands, preventing root-level execution even if injection occurs.

References