Elysia TypeScript Framework Cookie Injection Vulnerability Leading to Arbitrary Code Execution

A vulnerability allowing arbitrary code execution has been identified in the Elysia TypeScript framework, specifically in versions prior to 1.4.18. The issue arises from the framework's handling of cookie configurations. When dynamic cookies are enabled, the cookie configuration is injected into the compiled route without proper sanitization. This vulnerability requires write access to the Elysia application's source code or to the cookie configuration, which may be assumed to be provided by the environment. However, when combined with a related vulnerability, GHSA-hxj9-33pp-j2cc, it creates a complete remote code execution exploit chain.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server where the Elysia application is running.

Reproduction

To reproduce this vulnerability, create an Elysia application with a cookie configuration that includes unsanitized data, such as a secret that executes a console log command. Then, enable dynamic cookies by defining a cookie schema that allows the injection of the unsanitized data into the application's routes. Once the application is running, the injected code will be executed, demonstrating the vulnerability.

Remediation

Users can update to Elysia version 1.4.18 or later, where this vulnerability has been patched.