Coolify Discloses 11 Critical Flaws That Could Lead to Full Server Compromise on Self-Hosted Instances — Immediate Patching Urged

Cybersecurity researchers have revealed 11 critical security vulnerabilities in Coolify, an open-source platform widely used for self-hosting applications, services, and infrastructure management. These flaws are particularly serious — many allow command injection, authentication bypass, and remote code execution (RCE) on vulnerable systems, potentially enabling attackers to take complete control of affected servers. Experts are warning users to apply patches urgently given the severity of the issues and the large number of publicly exposed instances worldwide.

Self-hosted deployment solutions like Coolify have grown in popularity as developers seek more control over their infrastructure without relying on proprietary cloud services. However, this trend also increases the potential attack surface for misconfigurations and software flaws. The latest Coolify disclosure reinforces the importance of continuous vulnerability management, rapid patching, and proactive monitoring for self-hosted platforms.

What Coolify Is and Why It Matters

Coolify is an open-source, self-hosting platform that simplifies deployment and management of server applications and databases. It’s often deployed via Docker and allows teams to automate key server operations, deliver apps faster, and maintain more control over infrastructure compared to managed cloud offerings. Because it’s open source, developers can inspect its code, modify it, or extend it to meet project needs.

However, the very flexibility that makes Coolify appealing also creates risk: when widely deployed software is misconfigured or contains flaws, attackers can exploit those weaknesses to compromise multiple systems at scale. In this case, dozens of critical bugs in the core platform could be abused to achieve full server compromise, privilege escalation, or unauthorized access.

According to data from attack surface management firm Censys, there are roughly 52,890 Coolify hosts publicly reachable on the internet, with the largest concentrations in Germany (~15,000), the United States (~9,800), France (~8,000), Brazil (~4,200), and Finland (~3,400) — a substantial exposure that heightens the risk if attackers begin exploiting these flaws in the wild.

Overview of the 11 Critical Vulnerabilities

The vulnerabilities span multiple parts of the Coolify platform and range from command injection to information disclosure and even cross-site scripting (XSS). The following is a breakdown of all eleven issues disclosed:

1. CVE-2025-66209 — Database Backup Command Injection (CVSS 10.0)

A command injection vulnerability in the database backup feature allows authenticated users with backup permissions to run arbitrary host commands. This can lead to container escape and full server compromise.

2. CVE-2025-66210 — Database Import Command Injection (CVSS 10.0)

Authenticated attackers can inject and execute arbitrary commands on managed servers through the database import functionality, enabling complete infrastructure compromise.

3. CVE-2025-66211 — PostgreSQL Init Script Injection (CVSS 10.0)

Similarly, this flaw in the PostgreSQL initialization process lets users with certain database privileges execute arbitrary commands as root on the host.

4. CVE-2025-66212 — Dynamic Proxy Config Injection (CVSS 10.0)

Users with server management permissions can abuse input in the dynamic proxy configuration to run root-level commands across the environment.

5. CVE-2025-66213 — File Storage Directory Mount Injection (CVSS 10.0)

Using the file storage directory mount feature, an attacker can execute arbitrary commands with root privileges, severely compromising the server.

6. CVE-2025-64419 — Docker Compose Command Injection (CVSS 9.7)

Improper sanitization of Docker Compose YAML parameters enables attackers to inject systems commands executed as root. This can also lead to full coercion of the Coolify host.

7. CVE-2025-64420 — Information Disclosure of Root SSH Key (CVSS 10.0)

A flaw allows even low-privilege users to read the private SSH key of the root user on the Coolify instance. Possessing this key permits unauthorized SSH access as root, effectively bypassing authentication protections.

8. CVE-2025-64424 — Git Source Field Injection (CVSS 9.4)

A command injection weakness in the Git source input field lets a low-privilege user execute arbitrary root commands on the server during repository operations.

9. CVE-2025-59156 — Docker Compose OS Injection (CVSS 9.4)

This vulnerability allows untrusted Docker Compose modifications that result in arbitrary command execution as root at the host level.

10. CVE-2025-59157 — Git Repository Deployment Injection (CVSS 10.0)

Another severe flaw, this one permits a regular user to inject and run arbitrary shell commands via the Git repository field during deployment stages.

11. CVE-2025-59158 — Stored Cross-Site Scripting (CVSS 9.4)

A stored XSS flaw allows low-privilege authenticated users to inject malicious scripts during project creation. These scripts automatically run in the browser when an administrator later attempts to delete the project or resource — potentially facilitating session theft, credential capture, or admin account compromise.

Affected Versions and Patch Status

The impact of these flaws depends on the specific Coolify version in use:

• Some flaws (like CVE-2025-66209, 66210, and 66211) affect versions ≤ 4.0.0-beta.448 and are fixed in 4.0.0-beta.451 or later.
• Others (CVE-2025-66212 and CVE-2025-66213) impact ≤ 4.0.0-beta.450 and are fixed in versions ≥ 4.0.0-beta.451.
• The CVE-2025-64419 flaw is addressed in versions ≥ 4.0.0-beta.445.
• For some vulnerabilities such as CVE-2025-64420 and CVE-2025-64424, the fix status is not yet clear.
• A trio of vulnerabilities (CVE-2025-59156, 59157, 59158) affect older betas (≤ 4.0.0-beta.420.6) and are resolved in 4.0.0-beta.420.7.

If you are running a vulnerable version, upgrading to the latest patched release — or any stable release that includes these fixes — is strongly advised to avoid exposure to potential exploitation.

Why These Flaws Are So Dangerous

What makes this cluster of vulnerabilities especially critical is the breadth of their impact and the low barrier to exploitation in some cases:

Command Injection Enables Full Server Takeover

Many of the identified flaws are command injection vulnerabilities, which allow crafted input to be passed directly to the operating system shell without sufficient sanitization. This type of flaw is particularly dangerous because it effectively gives an attacker the ability to run arbitrary commands at the highest privilege level. With access to root-level execution, nearly anything on the host machine can be done: installing backdoors, stealing data, or pivoting to other parts of the network.

Low-Privilege Users Can Escalate to Root

Several of the vulnerabilities allow users with little or no elevated permissions to escalate privilege to root — the most powerful account on a server — through feature misuse. This means that even inside users who are not admins can potentially compromise the entire system if their account is able to interact with affected features.

Authentication Bypass and Key Exposure

Some flaws allow unauthorized disclosure of sensitive assets like the root SSH private key. Possession of such a key renders authentication controls largely moot and enables attackers to log in as root directly over SSH.

No Known Exploitation in the Wild — But Time Is of the Essence

At the time of disclosure, there are no confirmed reports of these flaws being exploited in the wild. However, given their severity and the number of exposed instances, security experts strongly recommend that administrators patch their systems promptly before attackers can reverse-engineer the patches or independent proof-of-concept exploits appear.

Because the vulnerabilities touch core functionality used by many self-hosted Coolify deployments, a failure to patch quickly could leave infrastructure open to remote takeover, data theft, and operational disruption.

Mitigation Strategies for Administrators

Beyond updating Coolify itself, there are practical steps organizations and self-hosters can take to reduce exposure to such high-impact vulnerabilities:

1. Isolate Management Interfaces

Restrict access to Coolify’s admin interface to trusted networks or VPNs to minimize exposure to attackers scanning publicly.

2. Harden User Permissions

Review and tighten user roles and permissions so that only trusted administrators have access to sensitive features like database backups or dynamic proxy settings.

3. Monitor for Anomalous Behavior

Deploy monitoring for unusual command execution patterns, unexpected SSH logins, or other signs of compromise that might indicate attempted exploitation.

4. Enable Frequent Patch Cycles

Establish a regular update and patch cycle for self-hosted software to ensure critical fixes are applied rapidly as soon as they are released.

The Broader Context: Supply Chain and Self-Hosting Risks

Coolify’s vulnerabilities underscore a broader theme in modern DevOps and cloud native security: self-hosting convenience comes with operational risk. Tools like Coolify and similar platforms empower smaller teams to deploy services independently, but they also shift the responsibility for security entirely onto the operators — who must keep software up to date, manage access controls robustly, and be vigilant for new vulnerabilities.

As more developers turn to open-source solutions for flexibility and cost savings, ensuring that the software stacks they depend on remain secure becomes an increasingly important part of cloud native and DevOps practices. Administrators must balance the benefits of self-hosting with proactive security measures to avoid becoming easy targets for attackers.

Conclusion: Act Now to Safeguard Coolify Servers

The disclosure of eleven critical vulnerabilities in Coolify is a stark reminder that even open-source infrastructure tools can harbor severe security flaws that affect entire servers if left unpatched. Many of the identified bugs — especially those involving command and OS-level injection — have the potential to completely compromise affected hosts, making rapid remediation essential for anyone running Coolify in production or exposed environments.

Administrators and developers should prioritize upgrading to the latest patched versions, reviewing permissions and access rules, and ensuring their self-hosted deployments are isolated and monitored effectively. These steps, combined with an active patching strategy, will help guard against the significant risks posed by these vulnerabilities before attackers can exploit them.