Arbitrary Code Execution Vulnerability in Elysia Framework by ElysiaJS
CVE-2025-66457

7.5HIGH

Key Information:

Vendor

Elysiajs

Status
Elysia
Vendor
CVE Published:
9 December 2025

What is CVE-2025-66457?

The Elysia Framework, a popular Typescript solution for request validation and client-server communication, has a security flaw that allows arbitrary code execution via dynamic cookie configurations. Specifically, versions 1.4.17 and earlier do not properly sanitize the injected cookie configuration, which could be exploited under certain conditions. Although the exploit's availability is generally low, it poses a serious risk when paired with other vulnerabilities, such as GHSA-hxj9-33pp-j2cc. Successful exploitation requires either write access to the application's source code or an ability to modify the cookie config administratively. This vulnerability has been addressed in version 1.4.18.

Affected Version(s)

elysia < 1.4.18

References

https://github.com/elysiajs/elysia/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/elysiajs/elysia/security/advisories/GH...
x_refsource_MISC
https://github.com/elysiajs/elysia/pull/1564
x_refsource_MISC

CVSS V4

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.