72 matches found
CVE-2026-31865
Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation, and client-server communication. Prior to version 1.4.27, an Elysia cookie can be overridden by prototype pollution , eg. proto. This issue is patched in 1.4.27. As a workaround, use t.Cookie validatio...
CVE-2026-30837
Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation and client-server communication. Prior to 1.4.26 , t.String format: 'url' is vulnerable to ReDoS. Repeating a partial url format protocol and hostname multiple times cause regex to slow down...
CVE-2026-31865
Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation, and client-server communication. Prior to version 1.4.27, an Elysia cookie can be overridden by prototype pollution , eg. proto. This issue is patched in 1.4.27. As a workaround, use t.Cookie validatio...
CVE-2026-31865 Elysia Cookie Value Prototype Pollution
Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation, and client-server communication. Prior to version 1.4.27, an Elysia cookie can be overridden by prototype pollution , eg. proto. This issue is patched in 1.4.27. As a workaround, use t.Cookie validatio...
CVE-2026-31865 Elysia Cookie Value Prototype Pollution
Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation, and client-server communication. Prior to version 1.4.27, an Elysia cookie can be overridden by prototype pollution , eg. proto. This issue is patched in 1.4.27. As a workaround, use t.Cookie validatio...
CVE-2026-31865
Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation, and client-server communication. Prior to version 1.4.27, an Elysia cookie can be overridden by prototype pollution , eg. proto. This issue is patched in 1.4.27. As a workaround, use t.Cookie validatio...
CVE-2026-31865 Elysia Cookie Value Prototype Pollution
Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation, and client-server communication. Prior to version 1.4.27, an Elysia cookie can be overridden by prototype pollution , eg. proto. This issue is patched in 1.4.27. As a workaround, use t.Cookie validatio...
CVE-2026-31865
CVE-2026-31865 affects the Elysia TypeScript framework prior to version 1.4.27, where a cookie value could be overridden via prototype pollution (proto ). The issue is fixed in 1.4.27. Impact described as partial integrity impact with possible cookie manipulation; no exploitation details are prov...
elysia 安全漏洞
Elysia is an open-source framework developed by Elysia. Versions of Elysia prior to 1.4.27 contained security vulnerabilities. These vulnerabilities stemmed from the possibility that Elysia cookies could be contaminated by prototype pollution, which could lead to security issues...
@228-fund/elysia-effect (=0.0.1), @228-fund/elysia-msgpack (>=0.0.1 <=0.0.3) +66 more potentially affected by CVE-2026-31865 via elysia (>=1.0.13 <=1.4.26)
elysia NPM version =1.0.13, =0.0.1, =0.1.0, =0.0.1, =0.0.1, =0.1.0, =0.1.4, =0.1.0, =0.1.0, =1.0.0-next.4, =1.0.0, =0.0.1, =1.0.3, =1.0.8 and more Source cves: CVE-2026-31865 Source advisory: SNYK:JS-ELYSIA-15680180...
Prototype Pollution
Overview elysia is an Ergonomic Framework for Human Affected versions of this package are vulnerable to Prototype Pollution in the Cookie class. An attacker can manipulate application behavior by overriding cookie names with proto. PoC proto=%7B%22injected%22%3A%22polluted%22%7D Details Prototype...
@228-fund/elysia-effect (=0.0.1), @228-fund/elysia-msgpack (>=0.0.1 <=0.0.3) +124 more potentially affected by CVE-2026-31865 via elysia (>=0.1.2 <=1.4.26)
elysia NPM version =0.1.2, =0.0.1, =0.0.1, =0.0.7, =0.0.1-0, =0.0.1, =0.0.3, =0.0.1, =0.1.0, =0.0.1, =0.0.1, =0.1.0, =0.1.4, =0.1.0, =1.6.1-canary.0 and more Source cves: CVE-2026-31865 Source advisory: OSV:GHSA-8HQ9-PHH3-P2WP...
GHSA-8HQ9-PHH3-P2WP Elysia Cookie Value Prototype Pollution
Impact Elysia cookie can be overridden by prototype pollution , eg. proto Sending cookie with the follows name can override cookie value: bash proto=%7B%22injected%22%3A%22polluted%22%7D Patches Patched by 1.4.27 Workarounds 1. Use t.Cookie validation to enforce validation value 2. Prevent iterab...
PT-2026-25974
Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation, and client-server communication. Prior to version 1.4.27, an Elysia cookie can be overridden by prototype pollution , eg. proto . This issue is patched in 1.4.27. As a workaround, use t.Cookie validati...
CVE-2026-30837
Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation and client-server communication. Prior to 1.4.26 , t.String format: 'url' is vulnerable to ReDoS. Repeating a partial url format protocol and hostname multiple times cause regex to slow down...
GHSA-F45G-68Q3-5W8X Elysia has a string URL format ReDoS
Impact t.String format: 'url' is vulnerable to redos Repeating a partial url format protocol and hostname multiple times cause regex to slow down significantly js 'http://a'.repeatn Here's a table demonstrating how long it takes to process repeated partial url format | n repeat | elapsedms | | --...
Regular Expression Denial of Service (ReDoS)
Overview elysia is an Ergonomic Framework for Human Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS in the t.String process when handling URL formats. An attacker can cause significant performance degradation and service unavailability by submitting...
@228-fund/elysia-effect (=0.0.1), @228-fund/elysia-msgpack (>=0.0.1 <=0.0.3) +64 more potentially affected by CVE-2026-30837 via elysia (>=1.0.13 <=1.4.22)
elysia NPM version =1.0.13, =0.0.1, =0.1.0, =0.0.1, =0.0.1, =0.1.0, =0.1.4, =0.1.0, =0.1.0, =1.0.0-next.4, =1.0.0, =0.0.1, =1.0.3, =1.0.8 and more Source cves: CVE-2026-30837 Source advisory: SNYK:JS-ELYSIA-15469934...
@228-fund/elysia-effect (=0.0.1), @228-fund/elysia-msgpack (>=0.0.1 <=0.0.3) +122 more potentially affected by CVE-2026-30837 via elysia (>=0.1.2 <=1.4.22)
elysia NPM version =0.1.2, =0.0.1, =0.0.1, =0.0.7, =0.0.1-0, =0.0.1, =0.0.3, =0.0.1, =0.1.0, =0.0.1, =0.0.1, =0.1.0, =0.1.4, =0.1.0, =1.6.1-canary.0 and more Source cves: CVE-2026-30837 Source advisory: OSV:GHSA-F45G-68Q3-5W8X...
EUVD-2026-10860
Elysia has a string URL format ReDoS...