CVE-2025-66457: CWE-94: Improper Control of Generation of Code ('Code Injection') in elysiajs elysia
Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation and client-server communication. Versions 1.4.17 and below are subject to arbitrary code execution from cookie config. When dynamic cookies are enabled (e.g. there an existing cookie schema), the cookie config is injected into the compiled route without first being sanitised. Availability of this exploit is generally low, but when combined with GHSA-hxj9-33pp-j2cc, it allows for a full RCE chain. An attack requires write access to either the Elysia app's source code (in which case the vulnerability is meaningless) or write access to the cookie config (perhaps where it is assumed to be provisioned by the environment). This issue is fixed in version 1.4.18.
AI Analysis
Technical Summary
CVE-2025-66457 is a vulnerability classified under CWE-94 (Improper Control of Generation of Code) affecting the Elysia Typescript framework, specifically versions 1.4.17 and earlier. Elysia is used for request validation, type inference, OpenAPI documentation, and client-server communication. The flaw occurs when dynamic cookies are enabled, and the cookie configuration is injected directly into the compiled route code without proper sanitization. This improper handling allows an attacker with write access to the cookie configuration to inject arbitrary code, leading to potential arbitrary code execution within the application context. The exploitability is generally low because it requires write access to the cookie config, which is typically controlled by the environment or developers. However, when combined with another vulnerability (GHSA-hxj9-33pp-j2cc), it can enable a full remote code execution (RCE) attack chain. The vulnerability does not require user interaction but does require privileges to modify configuration data, making it a high-severity issue with a CVSS 4.0 score of 7.5. The issue is resolved in version 1.4.18 of Elysia. No public exploits have been reported to date, but the potential impact is significant if exploited.
Potential Impact
For European organizations, the impact of CVE-2025-66457 can be severe if exploited. Successful exploitation could allow attackers to execute arbitrary code on servers running vulnerable versions of Elysia, potentially leading to full system compromise, data breaches, or disruption of services. Organizations relying on Elysia for critical web applications or APIs may face confidentiality, integrity, and availability risks. The requirement for write access to the cookie configuration limits the attack surface but does not eliminate risk, especially in environments where configuration management is automated or less strictly controlled. The ability to chain this vulnerability with others to achieve full RCE increases the threat level. European entities in sectors such as finance, healthcare, and government, which often deploy modern web frameworks, could be targeted for espionage, data theft, or sabotage. Additionally, the lack of known exploits in the wild suggests a window for proactive mitigation before widespread attacks occur.
Mitigation Recommendations
1. Upgrade all Elysia framework instances to version 1.4.18 or later immediately to apply the official patch. 2. Restrict write access to cookie configuration files or environment variables strictly to trusted administrators and deployment pipelines. 3. Implement rigorous input validation and sanitization for all dynamic configuration inputs, especially those that influence code generation or execution. 4. Employ configuration management best practices, including immutable infrastructure or read-only configurations where feasible. 5. Monitor application logs and configuration changes for unauthorized modifications to cookie settings. 6. Conduct security reviews and code audits focusing on dynamic code generation and injection points within the application. 7. Consider deploying runtime application self-protection (RASP) or web application firewalls (WAF) configured to detect anomalous code injection patterns. 8. Educate development and operations teams about the risks of improper configuration handling and the importance of secure provisioning.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Italy, Spain
CVE-2025-66457: CWE-94: Improper Control of Generation of Code ('Code Injection') in elysiajs elysia
Description
Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation and client-server communication. Versions 1.4.17 and below are subject to arbitrary code execution from cookie config. When dynamic cookies are enabled (e.g. there an existing cookie schema), the cookie config is injected into the compiled route without first being sanitised. Availability of this exploit is generally low, but when combined with GHSA-hxj9-33pp-j2cc, it allows for a full RCE chain. An attack requires write access to either the Elysia app's source code (in which case the vulnerability is meaningless) or write access to the cookie config (perhaps where it is assumed to be provisioned by the environment). This issue is fixed in version 1.4.18.
AI-Powered Analysis
Technical Analysis
CVE-2025-66457 is a vulnerability classified under CWE-94 (Improper Control of Generation of Code) affecting the Elysia Typescript framework, specifically versions 1.4.17 and earlier. Elysia is used for request validation, type inference, OpenAPI documentation, and client-server communication. The flaw occurs when dynamic cookies are enabled, and the cookie configuration is injected directly into the compiled route code without proper sanitization. This improper handling allows an attacker with write access to the cookie configuration to inject arbitrary code, leading to potential arbitrary code execution within the application context. The exploitability is generally low because it requires write access to the cookie config, which is typically controlled by the environment or developers. However, when combined with another vulnerability (GHSA-hxj9-33pp-j2cc), it can enable a full remote code execution (RCE) attack chain. The vulnerability does not require user interaction but does require privileges to modify configuration data, making it a high-severity issue with a CVSS 4.0 score of 7.5. The issue is resolved in version 1.4.18 of Elysia. No public exploits have been reported to date, but the potential impact is significant if exploited.
Potential Impact
For European organizations, the impact of CVE-2025-66457 can be severe if exploited. Successful exploitation could allow attackers to execute arbitrary code on servers running vulnerable versions of Elysia, potentially leading to full system compromise, data breaches, or disruption of services. Organizations relying on Elysia for critical web applications or APIs may face confidentiality, integrity, and availability risks. The requirement for write access to the cookie configuration limits the attack surface but does not eliminate risk, especially in environments where configuration management is automated or less strictly controlled. The ability to chain this vulnerability with others to achieve full RCE increases the threat level. European entities in sectors such as finance, healthcare, and government, which often deploy modern web frameworks, could be targeted for espionage, data theft, or sabotage. Additionally, the lack of known exploits in the wild suggests a window for proactive mitigation before widespread attacks occur.
Mitigation Recommendations
1. Upgrade all Elysia framework instances to version 1.4.18 or later immediately to apply the official patch. 2. Restrict write access to cookie configuration files or environment variables strictly to trusted administrators and deployment pipelines. 3. Implement rigorous input validation and sanitization for all dynamic configuration inputs, especially those that influence code generation or execution. 4. Employ configuration management best practices, including immutable infrastructure or read-only configurations where feasible. 5. Monitor application logs and configuration changes for unauthorized modifications to cookie settings. 6. Conduct security reviews and code audits focusing on dynamic code generation and injection points within the application. 7. Consider deploying runtime application self-protection (RASP) or web application firewalls (WAF) configured to detect anomalous code injection patterns. 8. Educate development and operations teams about the risks of improper configuration handling and the importance of secure provisioning.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2025-12-01T22:51:54.581Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69388517f4a79be77cca2bcc
Added to database: 12/9/2025, 8:22:47 PM
Last enriched: 12/9/2025, 8:37:33 PM
Last updated: 12/11/2025, 2:25:58 AM
Views: 15
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2025-67720: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Mayuri-Chan pyrofork
MediumCVE-2025-67719: CWE-620: Unverified Password Change in ibexa user
HighCVE-2025-67716: CWE-184: Incomplete List of Disallowed Inputs in auth0 nextjs-auth0
MediumCVE-2025-67511: CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') in aliasrobotics cai
CriticalCVE-2025-67713: CWE-601: URL Redirection to Untrusted Site ('Open Redirect') in miniflux v2
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.