CVE-2025-66212

Name of the Vulnerable Software and Affected Versions Coolify versions prior to 4.0.0-beta.451

Description Coolify is a self-hostable tool for managing servers, applications, and databases. A command injection issue exists in the Dynamic Proxy Configuration Filename handling. Authenticated users with application/service management permissions can execute arbitrary commands as root on managed servers. The issue occurs because proxy configuration filenames are passed to shell commands without proper escaping, allowing for full remote code execution via the filename parameter.

Recommendations Update to version 4.0.0-beta.451 or later.