Skip to content

[Possible Vulnerability] Cookie Reflection Subdomain Promotion in 1.1.5 - 1.2.25 #1209

New issue
New issue
Open
Open
[Possible Vulnerability] Cookie Reflection Subdomain Promotion in 1.1.5 - 1.2.25#1209
Labels
bugSomething isn't working
@hunterwilhelm

Description

@hunterwilhelm
hunterwilhelm
opened on May 12, 2025

What version of Elysia is running?

1.1.5 - 1.2.25

What platform is your computer?

Darwin 24.4.0 arm64 arm

What steps can reproduce the bug?

This bug happens from 1.1.5 to 1.2.25 and fixed in 1.3.0

When a cookie is set when aot: true, derive's set is being destructured, and an cookie is being used as an object, all cookies are being promoted to the current API domain.

import { Elysia, t } from "elysia";

const app = new Elysia({
  // bug stops when aot is false
  // aot: false
})
  .derive(async ({ set }) => {}) // bug stops when this is commented
  .guard({
    cookie: t.Object({
     // bug stops when t.Object is t.String
      _unused_cookie: t.Optional(t.Object({})) 
    })
  })
  .get("/", () => "Hello Elysia")
  .listen(3000);

console.log(
  `🦊 App is running at ${app.server?.hostname}:${app.server?.port}`
);

async function test() {
  // note, I am not using _unused_cookie here
  const response = await fetch("http://localhost:3000", {
    headers: {
      // from: subdomaincookie=true; Max-Age=604800; Domain=.subdomain.example.com; Path=/; HttpOnly; Secure; SameSite=Strict
      Cookie: "subdomaincookie=true"
    }
  });
  const setCookie = response.headers.get("set-cookie");
  // it ignores the cookie subdomain and promotes it to api.subdomain.example.com
  console.log(setCookie); // subdomaincookie=true; Path=/
}

await test();

What is the expected behavior?

No set-cookie reflection
console.log should be showing null

What do you see instead?

console.log is showing subdomaincookie=true; Path=/ which promotes the cookie to the api's subdomain.

Additional information

I asked AI if this could be a vulnerability and this is what it said.
Me:

Could it be a CVE if a server is reflecting all cookies it receives at an endpoint to set-cookie, therefore changing the subdomain?

ChatGPT said:

Yes, it could potentially be a CVE depending on the broader security impact and context — particularly if this behavior leads to a cookie tossing or cookie injection vulnerability that can be exploited across subdomains or violates same-origin policy assumptions.

Have you try removing the node_modules and bun.lockb and try again yet?

yes

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions