CVE-2025-66457
BaseFortify
Publication date: 2025-12-09
Last updated on: 2025-12-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| elysiajs | elysia | to 1.4.18 (inc) |
| elysia | elysia | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects the Elysia Typescript framework versions 1.4.17 and below. It allows arbitrary code execution through the cookie configuration when dynamic cookies are enabled. The cookie config is injected into the compiled route without sanitization, which can be exploited if an attacker has write access to the cookie config. However, the exploit's availability is generally low and requires either write access to the app's source code or the cookie config. The issue is fixed in version 1.4.18.
How can this vulnerability impact me? :
If exploited, this vulnerability can lead to arbitrary code execution on the server running the Elysia framework. This could allow an attacker to execute malicious code remotely, potentially compromising the server and any data or services it hosts. However, exploitation requires write access to the source code or cookie config, limiting the risk in many scenarios.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Elysia to version 1.4.18 or later, as this version fixes the vulnerability related to arbitrary code execution from cookie config. Additionally, ensure that write access to the cookie config is properly restricted to prevent unauthorized modifications.