Critical Vulnerabilities in Coolify Expose Self-Hosted Servers to Full Compromise
Cybersecurity experts have recently identified multiple critical vulnerabilities in Coolify, an open-source platform designed for self-hosting applications. These flaws could allow attackers to bypass authentication mechanisms and execute arbitrary code remotely, potentially leading to full server compromise.
Overview of Identified Vulnerabilities:
The discovered vulnerabilities are as follows:
1. CVE-2025-66209 (CVSS Score: 10.0): A command injection flaw in the database backup feature enables authenticated users with backup permissions to execute arbitrary commands on the host server, leading to container escape and complete server takeover.
2. CVE-2025-66210 (CVSS Score: 10.0): An authenticated command injection vulnerability in the database import function allows attackers to run arbitrary commands on managed servers, resulting in full infrastructure compromise.
3. CVE-2025-66211 (CVSS Score: 10.0): A command injection issue in the PostgreSQL initialization script management permits authenticated users with database permissions to execute commands as root on the server.
4. CVE-2025-66212 (CVSS Score: 10.0): An authenticated command injection vulnerability in the Dynamic Proxy Configuration feature allows users with server management permissions to execute commands as root on managed servers.
5. CVE-2025-66213 (CVSS Score: 10.0): A command injection flaw in the File Storage Directory Mount functionality enables users with application or service management permissions to execute commands as root on managed servers.
6. CVE-2025-64419 (CVSS Score: 9.7): A command injection vulnerability via the `docker-compose.yaml` file allows attackers to execute system commands as root on the Coolify instance.
7. CVE-2025-64420 (CVSS Score: 10.0): An information disclosure vulnerability permits low-privileged users to access the root user’s private key on the Coolify instance, facilitating unauthorized SSH access as the root user.
8. CVE-2025-64424 (CVSS Score: 9.4): A command injection issue in the Git source input fields of a resource allows low-privileged users to execute system commands as root on the Coolify instance.
9. CVE-2025-59156 (CVSS Score: 9.4): An operating system command injection vulnerability enables low-privileged users to inject arbitrary Docker Compose directives, achieving root-level command execution on the host.
10. CVE-2025-59157 (CVSS Score: 10.0): An operating system command injection flaw allows regular users to inject shell commands that execute on the server by manipulating the Git Repository field during deployment.
11. CVE-2025-59158 (CVSS Score: 9.4): Improper encoding or escaping of data allows authenticated low-privileged users to conduct stored cross-site scripting (XSS) attacks during project creation, which execute in the browser context when an administrator attempts to delete the project or its associated resource.
Affected Versions and Remediation:
The vulnerabilities impact the following versions of Coolify:
– CVE-2025-66209, CVE-2025-66210, CVE-2025-66211: Versions up to 4.0.0-beta.448 (fixed in 4.0.0-beta.451 and later).
– CVE-2025-66212, CVE-2025-66213: Versions up to 4.0.0-beta.450 (fixed in 4.0.0-beta.451 and later).
– CVE-2025-64419: Versions prior to 4.0.0-beta.436 (fixed in 4.0.0-beta.445 and later).
– CVE-2025-64420, CVE-2025-64424: Versions up to 4.0.0-beta.434 (fix status currently unclear).
– CVE-2025-59156, CVE-2025-59157, CVE-2025-59158: Versions up to 4.0.0-beta.420.6 (fixed in 4.0.0-beta.420.7 and later).
Recommendations for Users:
Users of Coolify are strongly advised to:
– Update Immediately: Upgrade to the latest patched versions to mitigate these vulnerabilities.
– Review Permissions: Assess and restrict user permissions to the minimum necessary to reduce potential attack vectors.
– Monitor Systems: Implement continuous monitoring to detect any unauthorized activities promptly.
– Backup Data: Regularly back up critical data to ensure recovery in case of a security incident.
Conclusion:
The discovery of these critical vulnerabilities in Coolify underscores the importance of proactive security measures in self-hosted environments. By promptly updating to the latest versions and adhering to best security practices, users can safeguard their systems against potential exploits.
