Cybersecurity researchers have disclosed a slew of critical vulnerabilities impacting Coolify, a popular open-source self-hosting platform. These security flaws, ranging from critical-severity command injection to information disclosure, could allow attackers to bypass authentication and execute arbitrary code on affected servers, leading to full system compromise. The discoveries highlight potential risks for users relying on self-hosted infrastructure for their applications and services.
The identified vulnerabilities, detailed by cybersecurity researchers, present a significant threat to the security posture of systems managed by Coolify. Of particular concern are the multiple command injection flaws carrying a CVSS score of 10.0, the highest possible rating, indicating extreme severity and ease of exploitation. These vulnerabilities span various functionalities within Coolify, including database backup and import, PostgreSQL init script management, dynamic proxy configuration, and file storage directory mounting.
Critical Coolify Vulnerabilities Pose Major Security Risks
The discovery of these critical security vulnerabilities in Coolify underscores the ongoing challenges in securing self-hosted environments. Attackers could potentially leverage these flaws to gain unfettered access to sensitive data and critical infrastructure.
Command Injection Vulnerabilities
Several vulnerabilities allow for arbitrary command execution on the host server. CVE-2025-66209, affecting the database backup functionality, allows any authenticated user with backup permissions to execute commands on the host server. This could lead to a container escape and complete server compromise. Similarly, CVE-2025-66210 targets the database import functionality, enabling attackers with authenticated access to execute arbitrary commands on managed servers, resulting in full infrastructure compromise.
Further command injection flaws are present in the PostgreSQL init script management (CVE-2025-66211), where authenticated users with database permissions can execute arbitrary commands as root on the server. The dynamic proxy configuration (CVE-2025-66212) and file storage directory mount functionality (CVE-2025-66213) also present similar risks, allowing users with server management or application/service management permissions, respectively, to execute arbitrary commands as root on managed servers.
Additional command injection vulnerabilities were found in the git source input fields of resources (CVE-2025-64424), enabling low-privileged users to execute system commands as root. A separate vulnerability (CVE-2025-59156) allows low-privileged users to inject arbitrary Docker Compose directives, achieving root-level command execution on the host. Exploiting the Git Repository field during deployment (CVE-2025-59157) also permits regular users to inject shell commands that execute on the server.
A notable vulnerability, CVE-2025-64419, allows attackers to execute arbitrary system commands as root on the Coolify instance via a compromised docker-compose.yaml file. This represents a direct attack vector leveraging the configuration files themselves.
Information Disclosure and XSS
Beyond command execution, a critical information disclosure vulnerability, CVE-2025-64420, allows low-privileged users to access the private key of the root user on the Coolify instance. This grants unauthorized SSH access, allowing the attacker to authenticate as the root user.
Furthermore, CVE-2025-59158 addresses a stored cross-site scripting (XSS) vulnerability. This flaw arises from improper data encoding or escaping during project creation. An authenticated user with low privileges can inject malicious scripts that are automatically executed in an administrator’s browser when they attempt to delete the project or its associated resources.
Affected Versions and Mitigation
The vulnerabilities impact various versions of Coolify, with specific fixes available for different flaws. For CVE-2025-66209, CVE-2025-66210, and CVE-2025-66211, versions up to and including 4.0.0-beta.448 are affected, with fixes in versions 4.0.0-beta.451 and later. CVE-2025-66212 and CVE-2025-66213 affect versions up to 4.0.0-beta.450, also addressed in 4.0.0-beta.451 and later.
CVE-2025-64419 is present in versions prior to 4.0.0-beta.436, with a fix available in 4.0.0-beta.445. For CVE-2025-64420 and CVE-2025-64424, versions up to and including 4.0.0-beta.434 are affected, though the fix status remains unclear. The most severe vulnerabilities based on Docker Compose directives and Git Repository fields, CVE-2025-59156, CVE-2025-59157, and CVE-2025-59158, impact versions up to 4.0.0-beta.420.6 and have been fixed in 4.0.0-beta.420.7.
According to data from the attack surface management platform Censys, approximately 52,890 Coolify hosts were exposed as of January 8, 2026. The primary geographic distributions of these exposed hosts were Germany (15,000), the United States (9,800), France (8,000), Brazil (4,200), and Finland (3,400). While there are currently no public reports indicating that these specific vulnerabilities have been actively exploited in the wild, their critical nature necessitates prompt action from users.
Users of Coolify are strongly advised to update their installations to the patched versions as soon as possible to mitigate the significant security risks. The ongoing nature of cybersecurity threats means that prompt application of security updates is crucial for maintaining the integrity and confidentiality of self-hosted infrastructure.