CVE-2025-66457HIGH 8.8EPSS p47.5%

CVE-2025-66457CVE-2025-66457

Description

Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation and client-server communication. Versions 1.4.17 and below are subject to arbitrary code execution from cookie config. When dynamic cookies are enabled (e.g. there an existing cookie schema), the cookie config is injected into the compiled route without first being sanitised. Availability of this exploit is generally low, but when combined with GHSA-hxj9-33pp-j2cc, it allows for a full RCE chain. An attack requires write access to either the Elysia app's source code (in which case the vulnerability is meaningless) or write access to the cookie config (perhaps where it is assumed to be provisioned by the environment). This issue is fixed in version 1.4.18.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.68% probability of exploitation · percentile 47.5% · 2026-06-18T12:00:27Z
Published2025-12-09
Last modified2025-12-17

Underlying weaknesses· 1

CWE-94

References

  1. https://github.com/elysiajs/elysia/commit/26935bf76ebc43b4a43d48b173fc853de43bb51e
  2. https://github.com/elysiajs/elysia/commit/3af978663e437dccc6c1a2a3aff4b74e1574849e
  3. https://github.com/elysiajs/elysia/pull/1564
  4. https://github.com/elysiajs/elysia/security/advisories/GHSA-8vch-m3f4-q8jf
  5. https://github.com/elysiajs/elysia/security/advisories/GHSA-hxj9-33pp-j2cc
  6. https://github.com/sportshead/elysia-poc

1

TypeTargetConfidenceTier
WeaknessImproper Control of Generation of Code ('Code Injection')cwe-940%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-66456
CVE
CVE-2026-46625
CVE
CVE-2024-0947
CVE
CVE-2026-43633
CVE
CVE-2025-48169
CVE
CVE-2025-54374
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.