Plattform
nodejs
Komponente
elysia
Behoben in
1.4.19
1.4.18
CVE-2025-66457 describes a Remote Code Execution (RCE) vulnerability within the Elysia Node.js framework. This flaw arises from insufficient sanitization of dynamic cookie configurations, allowing attackers to inject malicious code. The vulnerability affects versions 1.4.17 and earlier, and a fix is available in version 1.4.18. Exploitation requires write access to the application's source code or the cookie configuration file.
The impact of CVE-2025-66457 is significant due to its potential for arbitrary code execution. An attacker gaining write access to either the Elysia application's source code or the cookie configuration file can inject and execute malicious code. This could lead to complete system compromise, including data theft, modification, or deletion. The vulnerability's severity is amplified when combined with GHSA-hxj9-33pp-j2cc, creating a full Remote Code Execution (RCE) chain, allowing for more sophisticated attacks and broader impact. The 'aot enabled' default setting doesn't inherently mitigate the vulnerability; proper sanitization of cookie configurations remains crucial.
Public proof-of-concept (PoC) code for this vulnerability is likely to emerge given the RCE nature and the combination with GHSA-hxj9-33pp-j2cc. The exploit's availability is currently considered low due to the requirement for write access, but this could change. The vulnerability was publicly disclosed on 2025-12-09. It is not currently listed on CISA KEV.
Applications built using Elysia framework, particularly those that dynamically configure cookies based on user input or external sources, are at significant risk. Development teams using older versions of Elysia and those with inadequate access controls on their application configuration files are especially vulnerable.
• nodejs / server:
ps aux | grep elysia
find / -name 'elysia.config.mjs' -print• nodejs / server:
npm list elysia
npm audit elysia• generic web: Inspect cookie configuration files for unusual or unexpected code patterns. Review application logs for any errors related to cookie parsing or configuration loading.
disclosure
Exploit-Status
EPSS
0.08% (23% Perzentil)
CISA SSVC
The primary mitigation for CVE-2025-66457 is to immediately upgrade to Elysia version 1.4.18 or later, which includes the necessary sanitization fixes. If upgrading is not immediately feasible, consider restricting write access to the cookie configuration file to only trusted processes. Implement strict input validation and sanitization on all user-supplied data used in cookie configurations. While a WAF or proxy might offer some protection, it's not a substitute for patching the underlying vulnerability. Review and audit all cookie configuration files for any signs of malicious code injection.
Actualice la versión de Elysia a la 1.4.18 o superior. Esta versión corrige la vulnerabilidad de inyección de código arbitrario a través de la configuración de cookies. La actualización previene la ejecución de código no deseado al procesar la configuración de las cookies.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-66457 is a Remote Code Execution vulnerability in the Elysia Node.js framework. It allows attackers to execute arbitrary code due to insufficient sanitization of dynamic cookie configurations.
You are affected if you are using Elysia versions 1.4.17 or earlier and have enabled dynamic cookies. Check your version and upgrade immediately.
Upgrade to Elysia version 1.4.18 or later. If immediate upgrade is not possible, restrict write access to the cookie configuration file and implement strict input validation.
While active exploitation is not currently confirmed, the RCE nature of the vulnerability suggests it is likely to be targeted, and PoCs are expected to emerge.
Refer to the Elysia project's official website and GitHub repository for the latest security advisories and updates regarding CVE-2025-66457.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.