RCE in Coollabsio Coolify

CVE-2025-66212

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.451, an authenticated command injection vulnerability in the Dynamic Proxy Configuration Filename handling allo…

Vulnerability class: Command Injection (OS Command Injection)

EPSS: 0.003 (54.7th percentile) — read the EPSS interpretation.

Affected products

Coollabsio Coolify — versions < 4.0.0-beta.451

Weakness classification (CWE)

CWE-78 — OS Command Injection

References

https://github.com/coollabsio/coolify/security/advisories/GHSA-q7rg-2j7p-83gp (x_refsource_CONFIRM)
https://github.com/coollabsio/coolify/pull/7375 (x_refsource_MISC)
https://github.com/0xrakan/coolify-cve-2025-66209-66213 (x_refsource_MISC)
https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.451 (x_refsource_MISC)