CVE-2025-66457

Name of the Vulnerable Software and Affected Versions Elysia versions 1.4.17 and below

Description Elysia is a Typescript framework used for request validation, type inference, OpenAPI documentation, and client-server communication. Versions 1.4.17 and below are susceptible to arbitrary code execution originating from cookie configurations. When dynamic cookies are enabled, the cookie configuration is integrated into the compiled route without proper sanitization. The exploit's availability is generally limited, but when combined with GHSA-hxj9-33pp-j2cc, it can lead to a complete remote code execution chain. Successful exploitation requires write access to either the Elysia application's source code or the cookie configuration.

Recommendations Update to version 1.4.18 or later.