CVE-2025-66212
8.8 HIGH
📋 TL;DR
Coolify versions before 4.0.0-beta.451 contain an authenticated command injection vulnerability in Dynamic Proxy Configuration Filename handling. Users with application/service management permissions can execute arbitrary commands as root on managed servers via shell command injection. This affects all Coolify deployments using vulnerable versions.
💻 Affected Systems
Products:
- Coolify
Versions: All versions prior to 4.0.0-beta.451
Operating Systems: Linux (all distributions where Coolify runs)
Default Config Vulnerable:
⚠️ Yes
Notes: Requires authenticated user with application/service management permissions. Affects all deployments regardless of configuration.
📦 What is this software?
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
Coolify by Coollabs
⚠️ Risk & Real-World Impact
Worst Case
Full root compromise of all managed servers, allowing attacker to steal data, deploy ransomware, pivot to other systems, and maintain persistent access.
Likely Case
Attacker with legitimate user credentials gains root access to managed servers, potentially compromising hosted applications and databases.
If Mitigated
Limited to authenticated users with specific permissions; proper network segmentation and least privilege access would contain damage.
🌐 Internet-Facing: HIGH - Coolify management interfaces are often exposed to internet for remote administration.
🏢 Internal Only: HIGH - Even internal deployments are vulnerable to insider threats or compromised credentials.
🎯 Exploit Status
Public PoC:
⚠️ Yes
Weaponized:
LIKELY
Unauthenticated Exploit:
✅ No
Complexity:
LOW
Exploit requires authenticated access but is trivial to execute once credentials are obtained. Public GitHub repository contains proof-of-concept.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.0.0-beta.451
Vendor Advisory: https://github.com/coollabsio/coolify/security/advisories/GHSA-q7rg-2j7p-83gp
Restart Required: Yes
Instructions:
1. Backup your Coolify configuration and data. 2. Stop Coolify service. 3. Update to version 4.0.0-beta.451 or later using your deployment method (Docker, manual, etc.). 4. Restart Coolify service. 5. Verify the update was successful.
🔧 Temporary Workarounds
Restrict User Permissions
allTemporarily remove application/service management permissions from non-essential users until patching is complete.
Network Isolation
allPlace Coolify management interface behind VPN or restrict access to trusted IP addresses only.
🧯 If You Can't Patch
- Immediately audit and reduce user permissions to minimum required levels
- Implement strict network segmentation to isolate Coolify from production servers
🔍 How to Verify
Check if Vulnerable:
Check Coolify version via web interface dashboard or by examining deployment files. If version is below 4.0.0-beta.451, system is vulnerable.Check Version:
docker exec coolify cat /app/package.json | grep version # for Docker deploymentsVerify Fix Applied:
After updating, confirm version shows 4.0.0-beta.451 or higher in dashboard. Test proxy configuration functionality to ensure it works without allowing command injection.📡 Detection & Monitoring
Log Indicators:
- Unusual shell commands in Coolify logs
- Multiple failed authentication attempts followed by successful login
- Unexpected proxy configuration file creation
Network Indicators:
- Unusual outbound connections from Coolify server
- SSH or reverse shell connections originating from Coolify host
SIEM Query:
source="coolify" AND (command="*sh*" OR command="*bash*" OR command="*curl*" OR command="*wget*")