Elysia affected by arbitrary code injection through cookie config

Description

Arbitrary code execution from cookie config. If dynamic cookies are enabled (ie there exists a schema for cookies), the cookie config is injected into the compiled route without first being sanitised.

Recommendation

Update the elysia package to the latest compatible version. Followings are version details:

• Affected version(s): < 1.4.18
• Patched version(s): 1.4.18

References

• GHSA-8vch-m3f4-q8jf
• CVE-2025-66457
• CWE-94
• CAPEC-310
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• protobuf.js: Code injection through bytes field defaults in generated toObject code - CVE-2026-44293
• Lightning Flow Scanner Vulnerable to Code Injection via Unsafe Use of `new Function()` in APIVersion Rule - CVE-2025-67750
• xmlhttprequest and xmlhttprequest-ssl vulnerable to Arbitrary Code Injection - xmlhttprequest - CVE-2020-28502
• xmlhttprequest and xmlhttprequest-ssl vulnerable to Arbitrary Code Injection - CVE-2020-28502

You might also like:

How do hackers hack websites?

Apache and Express Path Traversal plus Nginx Restriction Bypass Tests with SmartScanner

10 Secure Coding Best Practices to Follow in Every Project

Tags:

npm

elysia