RCE in Elysiajs Elysia

CVE-2025-66457

Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation and client-server communication. Versions 1.4.17 and below are subject to arbitrary code execution from cookie config. When dynamic cookies are…

Vulnerability class: RCE (Remote Code Execution)

EPSS: 0.001 (24.6th percentile) — read the EPSS interpretation.

Affected products

Elysiajs Elysia — versions < 1.4.18

Weakness classification (CWE)

CWE-94 — Code Injection

References

https://github.com/elysiajs/elysia/security/advisories/GHSA-8vch-m3f4-q8jf (x_refsource_CONFIRM)
https://github.com/elysiajs/elysia/security/advisories/GHSA-hxj9-33pp-j2cc (x_refsource_MISC)
https://github.com/elysiajs/elysia/pull/1564 (x_refsource_MISC)
https://github.com/elysiajs/elysia/commit/26935bf76ebc43b4a43d48b173fc853de43bb51e (x_refsource_MISC)
https://github.com/elysiajs/elysia/commit/3af978663e437dccc6c1a2a3aff4b74e1574849e (x_refsource_MISC)