PT-2025-52851 · Coolify · Coolify

Andrasbacsai

·

Publicado

2025-12-23

·

Atualizado

2026-01-12

·

CVE-2025-66209

CVSS v3.1

9.9

Crítica

VetorAV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Coolify versions prior to 4.0.0-beta.451
Description Coolify is a self-hostable tool for managing servers, applications, and databases. A command injection issue exists in the Database Backup functionality for authenticated users with application/service management permissions. Database names used in backup operations are passed to shell commands without proper sanitization, potentially allowing execution of arbitrary commands as root on managed servers.
Recommendations Update to version 4.0.0-beta.451 or later.

Exploit

Correção

RCE

OS Command Injection

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-78

Identificadores relacionados

CVE-2025-66209
GHSA-VM5P-43QH-7PMQ

Produtos afetados

Coolify