Description
Arbitrary code execution from cookie config. If dynamic cookies are enabled (ie there exists a schema for cookies), the cookie config is injected into the compiled route without first being sanitised.
Recommendation
Update the elysia package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.4.18
- Patched version(s): 1.4.18
References
Related Issues
- Arbitrary Code Injection in pouchdb - CVE-2016-10546
- Lightning Flow Scanner Vulnerable to Code Injection via Unsafe Use of `new Function()` in APIVersion Rule - CVE-2025-67750
- next-mdx-remote affected by arbitrary code execution in React server-side rendering of untrusted MDX content - CVE-2026-0969
- BrowserStack Local vulnerable to Command Injection through logfile variable - CVE-2025-57283
- Tags:
- npm
- elysia
Anything's wrong? Let us know Last updated on December 09, 2025