RCE in Coollabsio Coolify

CVE-2025-66213

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.451, an authenticated command injection vulnerability in the File Storage Directory Mount Path functionality al…

Vulnerability class: Command Injection (OS Command Injection)

EPSS: 0.002 (45.9th percentile) — read the EPSS interpretation.

Affected products

Coollabsio Coolify — versions < 4.0.0-beta.451

Weakness classification (CWE)

CWE-78 — OS Command Injection

References

https://github.com/coollabsio/coolify/security/advisories/GHSA-cj2c-9jx8-j427 (x_refsource_CONFIRM)
https://github.com/coollabsio/coolify/pull/7375 (x_refsource_MISC)
https://github.com/0xrakan/coolify-cve-2025-66209-66213 (x_refsource_MISC)
https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.451 (x_refsource_MISC)