CVE-2025-66211 in coolify
Summary
by MITRE • 12/24/2025
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.451, an authenticated command injection vulnerability in PostgreSQL Init Script Filename handling allows users with application/service management permissions to execute arbitrary commands as root on managed servers. PostgreSQL initialization script filenames are passed to shell commands without proper validation, enabling full remote code execution. Version 4.0.0-beta.451 fixes the issue.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 01/01/2026
The vulnerability identified as CVE-2025-66211 affects Coolify, an open-source self-hostable platform designed for managing servers, applications, and databases. This tool operates in environments where security is paramount, as it provides administrative capabilities over critical infrastructure components. The vulnerability specifically targets the PostgreSQL initialization script handling mechanism within the application's service management functionalities. Prior to version 4.0.0-beta.451, the system failed to properly validate user-supplied input when processing PostgreSQL initialization script filenames, creating a dangerous condition that could be exploited by authenticated users.
The technical flaw manifests in the improper handling of shell commands where PostgreSQL initialization script filenames are directly incorporated into system execution calls without adequate sanitization or validation. This represents a classic command injection vulnerability that falls under CWE-77, which specifically addresses improper neutralization of special elements used in commands. The vulnerability occurs when users with application/service management permissions provide maliciously crafted filenames that contain shell metacharacters or commands. These inputs are then passed to shell execution functions, allowing attackers to inject arbitrary commands that execute with the privileges of the running process, which in this case operates as root on managed servers.
The operational impact of this vulnerability is severe and potentially catastrophic for organizations relying on Coolify for infrastructure management. An authenticated attacker with service management permissions can achieve full system compromise, enabling them to execute any command available to the root user. This includes but is not limited to data exfiltration, system modification, privilege escalation to other users, and potential lateral movement within the network. The vulnerability essentially provides an attacker with a backdoor to execute arbitrary code with the highest level of system privileges, making it particularly dangerous in multi-tenant or production environments where database servers are managed through Coolify. The root-level execution capability means that attackers can bypass traditional security controls and potentially gain access to sensitive data stored in databases or modify system configurations permanently.
Mitigation strategies for this vulnerability require immediate action to upgrade to version 4.0.0-beta.451 or later, which includes proper input validation and sanitization of PostgreSQL initialization script filenames. Organizations should also implement additional security controls such as privilege separation, where service management permissions are strictly limited to trusted personnel, and regular security audits of the application's input handling mechanisms. Network segmentation and monitoring should be enhanced to detect unusual command execution patterns, and regular penetration testing should be conducted to identify similar vulnerabilities in other components of the infrastructure. The fix addresses the core issue by implementing proper parameter validation and ensuring that user-provided filenames are sanitized before being used in shell commands, preventing the injection of malicious code through the command execution pipeline. This vulnerability demonstrates the critical importance of input validation in security-sensitive applications and aligns with ATT&CK technique T1059.001 for command and scripting interpreter, as it enables attackers to execute commands through shell injection.