N/A

CVSS Score

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-66457

CVE-2025-66457: Elysia affected by arbitrary code injection through cookie config

Arbitrary code execution from cookie config. If dynamic cookies are enabled (ie there exists a schema for cookies), the cookie config is injected into the compiled route without first being sanitised.

Availability of this exploit is generally low, as it requires write access to either the Elysia app's source code (in which case the vulnerability is meaningless) or write access to the cookie config (perhaps where it is assumed to be provisioned by the environment).

However when combined with GHSA-hxj9-33pp-j2cc, this vulnerability allows for a full RCE chain.

Impact

aot enabled (default)
cookie schema passed to route
Cookie config controllable eg. via env

Example of vulnerable code

new Elysia({
	cookie: {
		secrets: `' + console.log('pwned from secrets') + '`
	},
})
	.get("/", () => "hello world", {
		cookie: t.Cookie({
			foo: t.Any(),
		}),
	})

POC: https://github.com/sportshead/elysia-poc

Patches

Patched by 1.4.17 (https://github.com/elysiajs/elysia/pull/1564)

Reference commit:

https://github.com/elysiajs/elysia/pull/1564/commits/26935bf76ebc43b4a43d48b173fc853de43bb51e
https://github.com/elysiajs/elysia/pull/1564/commits/3af978663e437dccc6c1a2a3aff4b74e1574849e

Workarounds

Sanitize cookie-related env input

const overrideUnsafeQuote = (value: string) =>
	// '`' + value + '`'
	'`' + value.replace(/'/g, '\\`').replace(/\${/g, '$\\{') + '`'

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-66457

CVE-2025-66457:

N/A

CVSS Score

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
elysia	npm	< 1.4.18	1.4.18

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The analysis of the provided patches indicates that the vulnerability is a code injection issue within the composeHandler function in src/compose.ts. This function is part of Elysia's Ahead-of-Time (AOT) compilation feature, where it generates optimized JavaScript code for handling routes.

The core of the vulnerability is that configuration values for cookies, specifically cookie.secrets and cookie.sign, were being directly concatenated into a string of JavaScript code. If an attacker could control these configuration values (e.g., through environment variables that the application uses to configure Elysia), they could inject malicious code. The provided POC and the patch itself confirm this. The initial patch (commit 26935bf76ebc43b4a43d48b173fc853de43bb51e) introduces a sanitization function, overrideUnsafeQuote, and applies it to the cookie secret values before they are written into the generated code. A subsequent commit (3af978663e437dccc6c1a2a3aff4b74e1574849e) extends this sanitization to cookie names as well, making the fix more robust.

Therefore, the composeHandler function is the exact location where the vulnerability exists and would be the primary function to appear in a runtime profile when the vulnerability is triggered. The vulnerability is triggered during the application's initialization phase when the routes are being compiled, not necessarily during a specific request, but the malicious code would execute upon a request to the affected route.

Vulnerable functions

composeHandler

src/compose.ts

The `composeHandler` function dynamically generates code for handling routes. It was found to be vulnerable because it incorporated cookie configuration values, such as `secrets`, directly into the generated code without sanitization. An attacker with control over these configuration values could inject arbitrary JavaScript code. The patch mitigates this by introducing the `overrideUnsafeQuote` function to sanitize these inputs before they are embedded in the code.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-66457: Elysia affected by arbitrary code injection through cookie config

Impact

Patches

Workarounds

CVE-2025-66457:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

N/A

N/A

CVE-2025-66457: Elysia affected by arbitrary code injection through cookie config

Impact

Patches

Workarounds

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI