Platform
nodejs
Component
elysia
Fixed in
1.4.19
1.4.18
CVE-2025-66457 describes a Remote Code Execution (RCE) vulnerability within the Elysia Node.js framework. This flaw arises from insufficient sanitization of dynamic cookie configurations, allowing attackers to inject malicious code. The vulnerability affects versions 1.4.17 and earlier, and a fix is available in version 1.4.18. Exploitation requires write access to the application's source code or the cookie configuration file.
The impact of CVE-2025-66457 is significant due to its potential for arbitrary code execution. An attacker gaining write access to either the Elysia application's source code or the cookie configuration file can inject and execute malicious code. This could lead to complete system compromise, including data theft, modification, or deletion. The vulnerability's severity is amplified when combined with GHSA-hxj9-33pp-j2cc, creating a full Remote Code Execution (RCE) chain, allowing for more sophisticated attacks and broader impact. The 'aot enabled' default setting doesn't inherently mitigate the vulnerability; proper sanitization of cookie configurations remains crucial.
Public proof-of-concept (PoC) code for this vulnerability is likely to emerge given the RCE nature and the combination with GHSA-hxj9-33pp-j2cc. The exploit's availability is currently considered low due to the requirement for write access, but this could change. The vulnerability was publicly disclosed on 2025-12-09. It is not currently listed on CISA KEV.
Exploit Status
EPSS
0.08% (23% percentile)
CISA SSVC
The primary mitigation for CVE-2025-66457 is to immediately upgrade to Elysia version 1.4.18 or later, which includes the necessary sanitization fixes. If upgrading is not immediately feasible, consider restricting write access to the cookie configuration file to only trusted processes. Implement strict input validation and sanitization on all user-supplied data used in cookie configurations. While a WAF or proxy might offer some protection, it's not a substitute for patching the underlying vulnerability. Review and audit all cookie configuration files for any signs of malicious code injection.
Actualice la versión de Elysia a la 1.4.18 o superior. Esta versión corrige la vulnerabilidad de inyección de código arbitrario a través de la configuración de cookies. La actualización previene la ejecución de código no deseado al procesar la configuración de las cookies.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-66457 is a Remote Code Execution vulnerability in the Elysia Node.js framework. It allows attackers to execute arbitrary code due to insufficient sanitization of dynamic cookie configurations.
You are affected if you are using Elysia versions 1.4.17 or earlier and have enabled dynamic cookies. Check your version and upgrade immediately.
Upgrade to Elysia version 1.4.18 or later. If immediate upgrade is not possible, restrict write access to the cookie configuration file and implement strict input validation.
While active exploitation is not currently confirmed, the RCE nature of the vulnerability suggests it is likely to be targeted, and PoCs are expected to emerge.
Refer to the Elysia project's official website and GitHub repository for the latest security advisories and updates regarding CVE-2025-66457.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.