Security researchers have disclosed 11 high-impact security vulnerabilities affecting Coolify, an open-source self-hosting and application deployment platform. The flaws could allow attackers to bypass authentication controls and execute arbitrary commands, potentially resulting in complete server and infrastructure compromise on self-hosted instances.
Overview of the Disclosed Vulnerabilities
The identified issues primarily stem from command injection, improper input validation, and insecure permission handling across multiple Coolify features. Several of the flaws carry the maximum CVSS severity score of 10.0, indicating an extreme level of risk.
Key vulnerabilities include:
- CVE-2025-66209 (CVSS 10.0)
A command injection flaw in the database backup feature that allows authenticated users with backup privileges to execute arbitrary system commands, escape containers, and gain full server control. - CVE-2025-66210 (CVSS 10.0)
A command injection issue in the database import process enabling attackers to execute commands on managed servers and compromise the entire infrastructure. - CVE-2025-66211 (CVSS 10.0)
A PostgreSQL initialization script vulnerability that permits authenticated users with database access to run commands as root. - CVE-2025-66212 (CVSS 10.0)
A dynamic proxy configuration flaw that allows users with server management rights to execute root-level commands. - CVE-2025-66213 (CVSS 10.0)
A file storage directory mount vulnerability that enables root command execution by users with application or service management permissions. - CVE-2025-64419 (CVSS 9.7)
A docker-compose configuration injection issue that allows arbitrary command execution as root on the Coolify host. - CVE-2025-64420 (CVSS 10.0)
An information disclosure flaw exposing the root user’s private SSH key to low-privileged users, enabling unauthorized root access. - CVE-2025-64424 (CVSS 9.4)
A command injection vulnerability in Git source configuration fields that allows low-privileged users to execute root commands. - CVE-2025-59156 (CVSS 9.4)
An operating system command injection issue that allows Docker Compose directive injection leading to root-level execution. - CVE-2025-59157 (CVSS 10.0)
A deployment workflow flaw that enables shell command injection through Git repository fields. - CVE-2025-59158 (CVSS 9.4)
A stored cross-site scripting (XSS) vulnerability that allows low-privileged users to execute malicious scripts in an administrator’s browser session.
Affected Versions and Fix Status
The vulnerabilities impact multiple Coolify 4.0.0 beta releases, with fixes rolled out across various versions. Some flaws have been fully patched in later beta builds, while the remediation status for a subset of issues remains unclear, requiring administrators to carefully review their deployed versions and apply all available updates.
Exposure and Risk Landscape
According to attack surface intelligence from Censys, approximately 52,890 Coolify instances are currently exposed to the internet. The highest concentration of exposed hosts is observed in Germany, the United States, France, Brazil, and Finland.
Although there are no confirmed reports of active exploitation, the combination of widespread exposure and critical severity significantly increases the likelihood of future attacks.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
