Description
Arbitrary code execution from cookie config. If dynamic cookies are enabled (ie there exists a schema for cookies), the cookie config is injected into the compiled route without first being sanitised.
Recommendation
Update the elysia package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.4.18
- Patched version(s): 1.4.18
References
Related Issues
- Axios is vulnerable to DoS attack through lack of data size check - CVE-2025-58754
- Vercel ms Inefficient Regular Expression Complexity vulnerability - CVE-2017-20162
- Moment.js vulnerable to Inefficient Regular Expression Complexity - CVE-2022-31129
- billboard.js allows prototype pollution via the function generate - CVE-2025-49223
- Tags:
- npm
- elysia
Anything's wrong? Let us know Last updated on December 09, 2025