A critical security revelation has emerged concerning Coolify, an open-source, self-hosting platform widely used for managing infrastructure, including environments potentially supporting Web3 projects. Cybersecurity researchers have disclosed details regarding 11 critical-severity security flaws that collectively enable devastating outcomes, ranging from authentication bypass to full Remote Code Execution (RCE) and subsequent complete server compromise. Highlighting this list is CVE-2025-66209, assigned a maximum CVSS score of 10.0. This flaw involves a command injection vulnerability found within the database backup functionality, which is exploitable by any authenticated user. For Web3 development teams relying on self-hosted instances for their nodes, RPCs, or critical back-end tools, this represents an extreme infrastructure-layer risk. The ability for an authenticated user to achieve RCE means internal administrative access must be treated with the utmost scrutiny. Immediate patching of Coolify instances is mandatory, alongside a rigorous review of least privilege access controls for all authenticated users in self-hosted environments.
Source: Coolify Discloses 11 Critical Flaws Enabling Full Server Compromise on Self-Hosted Instances
コメント