Full Report
Cybersecurity researchers have disclosed details of multiple critical-severity security flaws affecting Coolify, an open-source, self-hosting platform, that could result in authentication bypass and remote code execution. The list of vulnerabilities is as follows - CVE-2025-66209 (CVSS score: 10.0) - A command injection vulnerability in the database backup functionality allows any authenticated
Analysis Summary
This summary focuses on the first listed vulnerability (CVE-2025-66209) as requested by the context, while acknowledging that multiple critical flaws exist.
# Vulnerability: Command Injection in Coolify Database Backup Functionality
## CVE Details
- CVE ID: CVE-2025-66209
- CVSS Score: 10.0 (Critical)
- CWE: [Not explicitly listed in the snippet, but implied to be Command Injection]
## Affected Systems
- Products: Coolify (open-source, self-hosting platform)
- Versions: <= 4.0.0-beta.451 (Inferred from group listing)
- Configurations: Users must have authenticated access with database backup permissions.
## Vulnerability Description
This is a critical command injection vulnerability residing within the database backup functionality of Coolify. An authenticated user, who possesses the necessary permissions to initiate a database backup, can inject and execute arbitrary operating system commands directly on the host server. Successful exploitation allows for container escape, leading to full compromise of the underlying host server.
## Exploitation
- Status: PoC available (Implied by disclosure details, though not explicitly stated as public PoC)
- Complexity: Likely Low, given the necessary precondition is standard authenticated access with elevated permissions.
- Attack Vector: Adjacent (Requires authentication to the platform)
## Impact
- Confidentiality: High (Full host access allows access to all secrets/data)
- Integrity: High (Arbitrary code execution as root allows system modification)
- Availability: High (System compromise/shutdown possible)
## Remediation
### Patches
Specific patched versions are not detailed for this individual CVE in the provided text, but it likely falls under the fixes released across versions following the affected range (<= 4.0.0-beta.451).
*Note: Recommend upgrading to the latest stable Coolify release after this disclosure.*
### Workarounds
- Restrict database backup permissions to the absolute minimum number of trusted administrators until patching is possible.
- Monitor commands executed by backup processes for anomalous activity.
## Detection
- Indicators of compromise: Unexpected processes running under the Coolify container or the host system that were initiated during a backup routine. Attempts to access the host filesystem or network from the backup process context.
- Detection methods and tools: Review system logs and container execution traces for unusual shell command invocations originating from the database backup service execution path.
## References
- Vendor Advisories: [Review Coolify GitHub Security Advisories for GHSA-vm5p-43qh-7pmq] (Defanged link: github com/coollabsio/coolify/security/advisories/GHSA-vm5p-43qh-7pmq)
- Relevant links: [The Hacker News Article on Coolify Disclosure] (Defanged link: thehackernews com/2026/01/coolify-discloses-11-critical-flaws.html)