CVE-2025-66210
CVE-2025-66210
9.4
CriticalPublished:
Last updated:
Source:security-advisories@github.com
Modified
Weakness (CWE)
CVSS Vector
v4.0- Attack Vector
- Network
- Attack Complexity
- Low
- Attack Requirements
- None
- Privileges Required
- Low
- User Interaction
- None
- Confidentiality (Vulnerable)
- High
- Integrity (Vulnerable)
- High
- Availability (Vulnerable)
- High
- Confidentiality (Subsequent)
- High
- Integrity (Subsequent)
- High
- Availability (Subsequent)
- High
Description
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.451, an authenticated command injection vulnerability in the Database Import functionality allows users with application/service management permissions to execute arbitrary commands as root on managed servers. Database names used in import operations are passed directly to shell commands without sanitization, enabling full remote code execution. Version 4.0.0-beta.451 fixes the issue.
References
security-advisories@github.com
https://github.com/0xrakan/coolify-cve-2025-66209-66213security-advisories@github.com
https://github.com/coollabsio/coolify/pull/7375security-advisories@github.com
https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.451security-advisories@github.com
https://github.com/coollabsio/coolify/security/advisories/GHSA-q33h-22xm-4cgh134c704f-9b21-4f2e-91b3-4a467353bcc0
https://github.com/coollabsio/coolify/security/advisories/GHSA-q33h-22xm-4cgh