What happened
Coolify discloses 11 critical flaws enabling full server compromise in its self-hosting platform. The disclosed vulnerabilities include CVE-2025-66209, a CVSS 10.0 command injection flaw in the database backup functionality that allows authenticated users to bypass authentication and execute arbitrary commands, potentially leading to full server takeover. The set of flaws also encompasses authentication bypass and remote code execution (RCE) issues enabling attackers to escalate privileges and run arbitrary code on self-hosted Coolify instances. These vulnerabilities affect the open-source deployment of Coolify, with exploitation paths tied directly to its database and authentication mechanisms.Â
Who is affected
Administrators and users of self-hosted Coolify instances are directly impacted due to the ability of authenticated attackers to execute code and gain elevated control over affected servers.Â
Why CISOs should care
Critical flaws in widely used self-hosted platforms can lead to full infrastructure compromise, data exposure, and further lateral attacks, emphasizing the importance of vulnerability management and secure configuration for third-party tools.Â
3 practical actions
- Apply updates: Deploy Coolify security patches promptly across all self-hosted environments.
- Restrict access: Limit authenticated access to Coolify management interfaces.
- Review backups: Ensure backup mechanisms are secure and tested for integrity.Â