Login Sign Up

CVE-2025-66457

8.8 HIGH
Remote Code Execution

📋 TL;DR

CVE-2025-66457 allows arbitrary code execution in Elysia framework when dynamic cookies are enabled. Attackers can inject malicious cookie configurations to execute code on the server. This affects Elysia applications using dynamic cookie schemas in versions 1.4.17 and below.

💻 Affected Systems

Products:
  • Elysia
Versions: 1.4.17 and below
Operating Systems: All
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when dynamic cookies are enabled and cookie schemas are used. Requires specific configuration.

📦 What is this software?

Elysia by Elysiajs

View all CVEs affecting Elysia →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full remote code execution leading to complete system compromise, data theft, and lateral movement within the network.

🟠

Likely Case

Limited code execution within the application context, potentially allowing data access or further privilege escalation.

🟢

If Mitigated

No impact if dynamic cookies are disabled or proper input validation is implemented.

🌐 Internet-Facing: MEDIUM - Requires specific configuration (dynamic cookies enabled) and potentially another vulnerability for full RCE chain.
🏢 Internal Only: LOW - Attack requires write access to cookie configuration, which is typically controlled in trusted environments.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires write access to cookie configuration. Full RCE chain requires combination with GHSA-hxj9-33pp-j2cc.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.4.18

Vendor Advisory: https://github.com/elysiajs/elysia/security/advisories/GHSA-8vch-m3f4-q8jf

Restart Required: Yes

Instructions:

1. Update Elysia package to version 1.4.18 or higher. 2. Run 'npm update elysia' or 'yarn upgrade elysia'. 3. Restart the application server.

🔧 Temporary Workarounds

Disable dynamic cookies

all

Disable dynamic cookie functionality in Elysia configuration

Set dynamic cookies to false in Elysia app configuration

Implement cookie validation

all

Add strict validation for all cookie inputs before processing

Implement input sanitization for cookie parameters

🧯 If You Can't Patch

  • Disable dynamic cookie functionality entirely
  • Implement strict input validation and sanitization for all cookie parameters

🔍 How to Verify

Check if Vulnerable:

Check package.json for Elysia version <=1.4.17 and verify if dynamic cookies are enabled in configuration

Check Version:

npm list elysia | grep elysia

Verify Fix Applied:

Verify Elysia version is 1.4.18 or higher in package.json and restart application

📡 Detection & Monitoring

Log Indicators:

  • Unusual cookie payloads in request logs
  • Unexpected process executions from Elysia application

Network Indicators:

  • Suspicious cookie values in HTTP requests
  • Unusual outbound connections from application server

SIEM Query:

source="application.logs" AND ("cookie" AND ("exec" OR "eval" OR "system"))

📊 Metadata

CVE ID: CVE-2025-66457
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-94
EPSS Score: 0.07% exploit probability (20.2th percentile)
Published: December 9, 2025
Last Updated: December 17, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-66457, you might also want to check these:

CVE-2025-62521 10.0

CVE-2025-62521 is a critical pre-authentication remote code execution vulnerability in ChurchCRM tha...

Same vulnerability type (CWE-94)
CVE-2026-26216 10.0

Crawl4AI versions before 0.8.0 contain an unauthenticated remote code execution vulnerability in the...

Same vulnerability type (CWE-94)
CVE-2021-22205 10.0

CVE-2021-22205 is a critical remote code execution vulnerability in GitLab CE/EE where improper vali...

Same vulnerability type (CWE-94)