What is the most severe risk associated with the Coolify vulnerabilities?

The most severe risk is full server compromise, where attackers can gain root-level access, escape containers, and steal private SSH keys.

Which versions of Coolify are affected?

Multiple beta versions are affected, specifically those prior to 4.0.0-beta.451, including versions up to 4.0.0-beta.450 for the most critical flaws.

How many Coolify instances are currently exposed?

Approximately 52,890 hosts are exposed globally, with the highest concentrations in Germany, the United States, and France.

What is CVE-2025-64420?

CVE-2025-64420 is a critical information disclosure vulnerability with a CVSS score of 10.0 that allows low-privileged users to view the root user's private SSH key.

How can I fix these vulnerabilities?

Users must update their Coolify instances to version 4.0.0-beta.451 or later to resolve these critical security issues.

Advisory

Coolify reports 11 critical flaws enabling full server compromise

published: Jan. 8, 2026

Take action: Make sure all Coolify management interfaces instances are isolated from the internet and accessible from trusted networks only. Update your platform to version 4.0.0-beta.451 as soon as possible, since there is a bunch of flaws and it's only a matter of time before they get exploited.

Learn More

Security researchers report 11 critical vulnerabilities in Coolify, a popular open-source self-hosting platform. These flaws allow authenticated users to bypass security controls and execute arbitrary code on the host system. The most severe bugs enable attackers to escape containers and gain root-level access to the underlying server infrastructure.

Vulnerabilities summary:

CVE-2025-66209 (CVSS score 10.0) - Command injection in database backup functionality allowing host compromise.
CVE-2025-66210 (CVSS score 10.0) - Authenticated command injection in database import tools.
CVE-2025-66211 (CVSS score 10.0) - Root-level command injection via PostgreSQL init scripts.
CVE-2025-66212 (CVSS score 10.0) - Command injection in Dynamic Proxy Configuration.
CVE-2025-66213 (CVSS score 10.0) - Root command execution through File Storage Directory Mounts.
CVE-2025-64419 (CVSS score 9.7) - Command injection via docker-compose.yaml files.
CVE-2025-64420 (CVSS score 10.0) - Information disclosure of the root user's private SSH key.
CVE-2025-64424 (CVSS score 9.4) - Command injection in git source input fields.
CVE-2025-59156 (CVSS score 9.4) - OS command injection via Docker Compose directives.
CVE-2025-59157 (CVSS score 10.0) - Shell command injection using the Git Repository field.
CVE-2025-59158 (CVSS score 9.4) - Stored cross-site scripting (XSS) during project creation.

Data from Censys shows approximately 52,890 Coolify hosts are currently exposed to the internet. Germany hosts the largest number of instances with 15,000, followed by the United States with 9,800 and France with 8,000.

Researchers have not seen these flaws used in active attacks yet, but the high number of exposed instances and the severity of the bugs create a significant attack surface for self-hosted environments.

The vulnerabilities affect various beta versions of the platform. Versions up to 4.0.0-beta.450 are impacted by the most critical command injection flaws.

Developers have released patches in version 4.0.0-beta.451 and other recent updates to address these security gaps. Users should verify their current version and apply updates as soon as possible to protect their infrastructure from unauthorized access.

As a matter of best practice, users should restrict access to their Coolify dashboards and ensure they are not reachable from the public internet.

Coolify reports 11 critical flaws enabling full server compromise

Read More
Claude Desktop Extensions Vulnerability Exposes Users to Zero-Click …
SolarWinds reports vulnerabilities in Access Rights Manager, one …
Trend Micro fixes 15 flaws, at least six …
AI servers vulnerable to code execution via TorchServe …
Critical vulnerability reported in OneDev DevOps platform