Coolify Discloses 11 Critical Flaws Enabling Full Server Compromise on Self-Hosted Instances

Coolify has emerged as a popular platform for developers seeking to self‑host applications, offering integrated CI/CD, database management, and container orchestration. Its open‑source nature accelerates adoption, but also places the codebase under public scrutiny. The newly disclosed CVEs span core functionalities—database backup, import, PostgreSQL init scripts, dynamic proxy configuration, and file storage mounts—each containing command‑injection paths that let attackers run arbitrary shell commands with root privileges. By exploiting Docker‑compose yaml parsing or git repository fields, threat actors can break out of isolated containers, effectively compromising the host operating system.

The practical impact of these vulnerabilities is severe. A single compromised Coolify instance can serve as a foothold for lateral movement within an organization’s network, exposing downstream services, databases, and secrets. The information‑disclosure flaw (CVE‑2025‑64420) further amplifies risk by revealing the root SSH private key, enabling persistent remote access. With over 52,000 publicly reachable instances—most clustered in Europe and North America—the attack surface is sizable, even though no public exploits have been observed yet. Enterprises relying on self‑hosted DevOps pipelines must treat these findings as high priority, especially those running beta releases below 4.0.0‑beta.451.

Mitigation requires immediate upgrading to the patched beta versions or, preferably, to a stable release that incorporates all fixes. Administrators should audit user permissions, enforce least‑privilege principles, and disable unnecessary API endpoints that handle file uploads or dynamic proxy settings. Continuous monitoring for anomalous container behavior and regular vulnerability scans can detect early signs of exploitation. This episode underscores the broader challenge of securing open‑source self‑hosting tools: rapid development cycles must be balanced with rigorous security testing to prevent supply‑chain compromises that could ripple across the cloud‑native ecosystem.