Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 8034b78bf720 · 2025-12-09T17:13:42.000Z
GHSA-8vch-m3f4-q8jf GHSA-hfv2-pf68-m33x GHSA-hxj9-33pp-j2cc
diff --git a/advisories/github-reviewed/2025/12/GHSA-8vch-m3f4-q8jf/GHSA-8vch-m3f4-q8jf.json b/advisories/github-reviewed/2025/12/GHSA-8vch-m3f4-q8jf/GHSA-8vch-m3f4-q8jf.json
@@ -0,0 +1,77 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-8vch-m3f4-q8jf",
+  "modified": "2025-12-09T17:12:05Z",
+  "published": "2025-12-09T17:12:05Z",
+  "aliases": [
+    "CVE-2025-66457"
+  ],
+  "summary": "Elysia affected by arbitrary code injection through cookie config",
+  "details": "Arbitrary code execution from cookie config. If dynamic cookies are enabled (ie there exists a schema for cookies), the cookie config is injected into the compiled route without first being sanitised.\n\nAvailability of this exploit is generally low, as it requires write access to either the Elysia app's source code (in which case the vulnerability is meaningless) or write access to the cookie config (perhaps where it is assumed to be provisioned by the environment). \n\nHowever when combined with GHSA-hxj9-33pp-j2cc, this vulnerability allows for a full RCE chain.\n\n### Impact\n- aot enabled (default)\n- cookie schema passed to route\n- Cookie config controllable eg. via env\n\nExample of vulnerable code\n```js\nnew Elysia({\n\tcookie: {\n\t\tsecrets: `' + console.log('pwned from secrets') + '`\n\t},\n})\n\t.get(\"/\", () => \"hello world\", {\n\t\tcookie: t.Cookie({\n\t\t\tfoo: t.Any(),\n\t\t}),\n\t})\n```\n\nPOC: https://github.com/sportshead/elysia-poc\n\n### Patches\nPatched by 1.4.17 (https://github.com/elysiajs/elysia/pull/1564)\n\nReference commit:\n- https://github.com/elysiajs/elysia/pull/1564/commits/26935bf76ebc43b4a43d48b173fc853de43bb51e\n- https://github.com/elysiajs/elysia/pull/1564/commits/3af978663e437dccc6c1a2a3aff4b74e1574849e\n\n### Workarounds\nSanitize cookie-related env input\n\n```typescript\nconst overrideUnsafeQuote = (value: string) =>\n\t// '`' + value + '`'\n\t'`' + value.replace(/'/g, '\\\\`').replace(/\\${/g, '$\\\\{') + '`'\n```",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "elysia"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.4.18"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/elysiajs/elysia/security/advisories/GHSA-8vch-m3f4-q8jf"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/elysiajs/elysia/security/advisories/GHSA-hxj9-33pp-j2cc"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/elysiajs/elysia/pull/1564"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/elysiajs/elysia/commit/26935bf76ebc43b4a43d48b173fc853de43bb51e"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/elysiajs/elysia/commit/3af978663e437dccc6c1a2a3aff4b74e1574849e"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/elysiajs/elysia"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/sportshead/elysia-poc"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-94"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-12-09T17:12:05Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2025/12/GHSA-hfv2-pf68-m33x/GHSA-hfv2-pf68-m33x.json b/advisories/github-reviewed/2025/12/GHSA-hfv2-pf68-m33x/GHSA-hfv2-pf68-m33x.json
@@ -0,0 +1,66 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-hfv2-pf68-m33x",
+  "modified": "2025-12-09T17:12:18Z",
+  "published": "2025-12-09T17:12:18Z",
+  "aliases": [
+    "CVE-2025-66625"
+  ],
+  "summary": "Umbraco Vulnerable to Improper File Access and Credential Exposure in Dictionary Import Functionality",
+  "details": "### Impact\nDue to unsafe handling and deletion of temporary files during the dictionary upload process, an attacker with access to the backoffice can trigger predictable requests to temporary file paths. The application’s error responses (HTTP 500 when a file exists, 404 when it does not) allow the attacker to enumerate the existence of arbitrary files on the server’s filesystem. This vulnerability does not allow reading or writing file contents.\n\nIn certain configurations, incomplete clean-up of temporary upload files may additionally expose the NTLM hash of the Windows account running the Umbraco application. The direct impact of this vulnerability is therefore limited to confidentiality, which is reflected in its CVSS base score of 4.9\n\nWhile the CVSS Base Score captures only the immediate effect, the practical risk varies significantly based on hosting environment and identity configuration. Umbraco Cloud sites run under low-privilege, isolated Azure App Service worker identities, which mitigates the impact of any credential exposure. In contrast, self-hosted deployments could run Umbraco using privileged local or domain accounts. If such an account’s NTLM hash is disclosed, an attacker may be able to:\n- Perform NTLM relay attacks\n- Crack the hash offline to recover the underlying password\n- Authenticate as the compromised identity\n- Access internal systems trusted by that identity\n- Move laterally within the network\n- Potentially escalate to full domain compromise in weakly segmented environments\n\nThese outcomes are not part of the CVSS base score, which only rates the immediate confidentiality impact, but represent realistic downstream consequences for installations using elevated or widely-trusted service accounts. Self-hosted environments running Umbraco under privileged identities are therefore at significantly higher risk.\n\nVulnerability found and reported by Tomasz Holeksa at Pentest Limited\n\n### Patches\nThe issue has been patched in 13.12.1.\n\n### Workarounds\nThe issue can only be exploited by authorized backoffice accounts with access to the \"Translations\" section.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "NuGet",
+        "name": "Umbraco.Cms"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "10.0.0"
+            },
+            {
+              "fixed": "13.12.1"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 13.12.0"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-hfv2-pf68-m33x"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/umbraco/Umbraco-CMS/commit/7505efd433189037f46547932d4a8b603fd4a615"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/umbraco/Umbraco-CMS"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-200",
+      "CWE-377",
+      "CWE-552"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-12-09T17:12:18Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2025/12/GHSA-hxj9-33pp-j2cc/GHSA-hxj9-33pp-j2cc.json b/advisories/github-reviewed/2025/12/GHSA-hxj9-33pp-j2cc/GHSA-hxj9-33pp-j2cc.json
@@ -0,0 +1,77 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-hxj9-33pp-j2cc",
+  "modified": "2025-12-09T17:11:54Z",
+  "published": "2025-12-09T17:11:53Z",
+  "aliases": [
+    "CVE-2025-66456"
+  ],
+  "summary": "Elysia vulnerable to prototype pollution with multiple standalone schema validation",
+  "details": "Prototype pollution vulnerability in `mergeDeep` after merging results of two standard schema validations with the same key. Due to the ordering of merging, there must be an `any` type that is set as a `standalone` guard, to allow for the `__proto__` prop to be merged.\n\nWhen combined with GHSA-8vch-m3f4-q8jf this allows for a full RCE by an attacker.\n\n### Impact\nRoutes with more than 2 standalone schema validation, eg. zod\n\nExample vulnerable code:\n```typescript\nimport { Elysia } from \"elysia\"\nimport * as z from \"zod\"\n\nconst app = new Elysia()\n\t.guard({\n\t\tschema: \"standalone\",\n\t\tbody: z.object({\n\t\t\tdata: z.any()\n\t\t})\n\t})\n\t.post(\"/\", ({ body }) => ({ body, win: {}.foo }), {\n\t\tbody: z.object({\n\t\t\tdata: z.object({\n\t\t\t\tmessageId: z.string(\"pollute-me\"),\n\t\t\t})\n\t\t})\n\t})\n```\n\n### Patches\nPatched by 1.4.17 (https://github.com/elysiajs/elysia/pull/1564)\n\nReference commit:\n- https://github.com/elysiajs/elysia/pull/1564/commits/26935bf76ebc43b4a43d48b173fc853de43bb51e\n- https://github.com/elysiajs/elysia/pull/1564/commits/3af978663e437dccc6c1a2a3aff4b74e1574849e\n\n### Workarounds\nRemove `__proto__` key from body\n\nExample plugin for removing `__proto__` from body\n\n```typescript\nnew Elysia()\n\t.onTransform(({ body, headers }) => {\n\t\tif (headers['content-type'] === 'application/json')\n\t\t\treturn JSON.parse(JSON.stringify(body), (k, v) => {\n\t\t\t\tif (k === '__proto__') return\n\n\t\t\t\treturn v\n\t\t\t})\n\t})\n```",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "elysia"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "1.4.0"
+            },
+            {
+              "fixed": "1.4.17"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/elysiajs/elysia/security/advisories/GHSA-8vch-m3f4-q8jf"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/elysiajs/elysia/security/advisories/GHSA-hxj9-33pp-j2cc"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/elysiajs/elysia/pull/1564"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/elysiajs/elysia/commit/26935bf76ebc43b4a43d48b173fc853de43bb51e"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/elysiajs/elysia/commit/3af978663e437dccc6c1a2a3aff4b74e1574849e"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/elysiajs/elysia"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/sportshead/elysia-poc"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-1321"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-12-09T17:11:53Z",
+    "nvd_published_at": null
+  }
+}
