CVE-2025-66209
🔴 Łataj teraz
Wykorzystanie podatności w Coolify umożliwia uwierzytelnionym użytkownikom wykonanie dowolnych poleceń jako root na zarządzanych serwerach.
CVSS
9.9
EPSS
0.2%
Exploit
poc
Vendor
coollabs
Opis źródłowy (NVD)
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.451, an authenticated command injection vulnerability in the Database Backup functionality allows users with application/service management permissions to execute arbitrary commands as root on managed servers. Database names used in backup operations are passed directly to shell commands without sanitization, enabling full remote code execution. Version 4.0.0-beta.451 fixes the issue.
exploit rce
Brak patcha
Źródła i daty
| Źródło | Wartość |
|---|---|
| NVD – CVSS | 9.9 |
| CISA KEV (aktywnie wykorzystywane) | Nie |
| FIRST EPSS (prawdopodobieństwo exploita) | 0.2% |
| Opublikowano (NVD) | 2025-12-23 22:15:52 UTC |
| Ostatnia modyfikacja (NVD) | 2026-03-17 17:16:13 UTC |
Referencje
- https://github.com/0xrakan/coolify-cve-2025-66209-66213 (security-advisories@github.com) [Exploit, Third Party Advisory]
- https://github.com/coollabsio/coolify/pull/7375 (security-advisories@github.com) [Issue Tracking, Patch]
- https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.451 (security-advisories@github.com) [Release Notes]
- https://github.com/coollabsio/coolify/security/advisories/GHSA-vm5p-43qh-7pmq (security-advisories@github.com) [Exploit, Vendor Advisory]