Is Your Coolify Server Vulnerable to Takeover?

Article Highlights
Off On

A recently published comprehensive security disclosure has brought to light a series of 11 critical vulnerabilities within the Coolify open-source platform, placing tens of thousands of self-hosted servers at immediate risk of complete takeover. This alarming discovery, detailed by cybersecurity researchers, underscores a significant threat to users who rely on the self-hosting solution for managing their applications and services. The majority of these identified flaws have been assigned the highest possible CVSS severity score of 10.0, indicating a level of criticality that demands immediate attention from administrators. The core issue revolves around multiple avenues for command injection, allowing attackers—in some instances, those with only minimal user privileges—to execute arbitrary commands on the host server with the highest level of system access. With an estimated 52,890 Coolify instances exposed online across the globe, primarily in Germany, the United States, and France, the potential for widespread compromise is substantial. This situation highlights the inherent risks of self-hosted infrastructure and the paramount importance of vigilant security practices and timely software updates.

The Anatomy of a Compromise

The central and most pervasive threat across the discovered vulnerabilities is command injection, a classic yet devastating attack vector that grants unauthorized command execution on the underlying server. In the case of Coolify, these flaws are deeply embedded within numerous core platform functionalities, creating multiple pathways for exploitation by an authenticated user. For example, critical injection vulnerabilities were identified in essential database management features. The handling of PostgreSQL initialization scripts (CVE-2025-66211), as well as database backup (CVE-2025-66209) and import (CVE-2025-66210) operations, were all found to be susceptible. An attacker with the necessary permissions to manage databases could craft malicious inputs for these functions, which would then be executed directly by the system with root privileges. This provides a direct line to full server control. Similarly, high-impact injection flaws were discovered in the Dynamic Proxy Configuration (CVE-2025-66212) and File Storage Directory Mount (CVE-2025-66213) services, further expanding the attack surface for users with specific management roles.

Further compounding the platform’s security posture, several of the most severe vulnerabilities arise from the improper sanitization and handling of user-provided configuration data, a fundamental aspect of the platform’s operation. This category of flaws allows attackers to achieve root-level command execution by embedding malicious commands within otherwise standard configuration files and input fields. One significant vulnerability (CVE-2025-64419) permits an attacker to inject malicious shell commands into a docker-compose.yaml file, which are then executed when the service is deployed or updated. Other attack vectors target the git integration, where malicious commands can be injected into git source input fields (CVE-2025-64424, CVE-2025-59157) or Docker Compose directives (CVE-2025-59156). What makes these particular vulnerabilities exceptionally dangerous is that they can be exploited by users with standard or “member-level” privileges. This effectively creates a straightforward and low-barrier method for privilege escalation, allowing a regular user to elevate their access to full root control over the entire host system with minimal effort.

Beyond Direct Command Execution

While command injection represents the most common attack vector, the security disclosure also revealed critical flaws that bypass the need for command execution entirely, offering attackers a more direct path to compromise. A particularly alarming information disclosure vulnerability (CVE-2025-64420) was uncovered, which allows a low-privileged authenticated user to gain access to the private SSH key belonging to the root user on the Coolify instance. This flaw is catastrophic, as it effectively hands an attacker the keys to the kingdom. With the root SSH key in hand, an adversary can establish a direct, fully authenticated remote session on the server, granting them persistent and unfettered root access without having to exploit any other flaw. This circumvents many common security monitoring tools that might otherwise detect suspicious command execution. In a separate but also serious issue, a stored cross-site scripting (XSS) vulnerability (CVE-2025-59158) was identified. An authenticated user could inject a malicious script during the project creation process. This script would remain dormant until an administrator later performs an action, such as deleting the project, at which point it executes within the administrator’s browser, potentially leading to session hijacking or further system compromise.

A Call for Immediate Remediation

The disclosure of these vulnerabilities impacted a range of Coolify v4.0.0 beta builds, specifically up to and including version 4.0.0-beta.450. In response to the findings, developers issued patches in several subsequent releases, including 4.0.0-beta.420.7, 4.0.0-beta.445, and 4.0.0-beta.451, which addressed the majority of the critical issues. Although the patch status for two of the CVEs remained unconfirmed at the time of the report, the release of these updated versions provided a clear path to mitigation for concerned administrators. While there were no public reports of these flaws being actively exploited in the wild, the extreme severity ratings and the straightforward nature of several exploitation paths created a scenario where preventative action was essential. The event served as a crucial reminder for the self-hosting community that the convenience and control offered by platforms like Coolify come with the responsibility of diligent security maintenance. The potential for complete infrastructure compromise made it imperative for all users to verify their instance versions and upgrade to the latest patched releases without delay to secure their servers from potential takeover.

Explore more

Vivo X Fold 6 – Review

The arrival of the Vivo X Fold 6 marks a pivotal moment where foldable devices transcend their status as fragile novelties to become the primary choice for power users. This transition represents a significant advancement in the mobile sector, pushing the boundaries of what a single handset can accomplish. By merging a book-style form factor with the raw performance of

Oppo Reno16 Series – Review

The modern smartphone market has reached a peculiar crossroads where the distinction between mid-range utility and flagship luxury is no longer defined by features but by the audacity of a manufacturer’s pricing strategy. Traditional product cycles often prioritize incremental updates, but this latest iteration signals a departure from conservative engineering. By integrating components usually reserved for the highest echelon of

AI Adoption Fails Without Proper Workforce Readiness

Ling-yi Tsai is a formidable force in the HRTech sector, possessing decades of experience guiding global organizations through the complex labyrinth of digital evolution. Her mastery of HR analytics and her tactical approach to integrating technology across recruitment and talent management have made her a sought-after advisor for companies looking to bridge the gap between human potential and machine efficiency.

The Human Infrastructure Powering Artificial Intelligence

The seamless flicker of a chatbot’s reply or the effortless lane change of a driverless vehicle often masks a vast, invisible network of human cognitive labor that makes such digital grace possible. While the marketing of advanced technology frequently paints a picture of silicon brains evolving in isolation, the underlying reality is a global assembly line of human intelligence. Every

Bruce Clay Leaves a Lasting Legacy as the Father of SEO

The Architect of an Industry and the Importance of Digital Frameworks The digital landscape we navigate today was not born out of thin air but was meticulously shaped by a few visionary thinkers who saw the potential of the internet long before it became a global marketplace. Among these pioneers, Bruce Clay stood as a singular figure whose influence spanned