CVE-2025-66213

216.73.216.6

· Published 23/12/2025 22:15 · Modified 23/12/2025 22:15

Labels: CVE-2025-66213 2025-12-23 CVE-2025-66213 CWE-78 [email protected]

Essential information

Published: 23/12/2025 22:15
Modified: 23/12/2025 22:15
Author: —
Creator: —
CVSS: 9.4 CRITICAL (v3) 9.4 CRITICAL (v4.0)
CISA KEV: No
CWE: —
CVSS vector: —

CVSS metrics

Description

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.451, an authenticated command injection vulnerability in the File Storage Directory Mount Path functionality allows users with application/service management permissions to execute arbitrary commands as root on managed servers. The file_storage_directory_source parameter is passed directly to shell commands without proper sanitization, enabling full remote code execution on the host system. Version 4.0.0-beta.451 fixes the issue.

NVD status

Status: Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source: [email protected]
NVD: View on NVD

Affected products (CPE)

Product	CPE
coolify / coolify	`cpe:2.3:a:coolify:coolify::::::::`