75 matches found
CVE-2026-56669
Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation, and client-server communication. Prior to 1.4.29, Elysia uses getAll in form data normalization for multipart/form-data endpoints, causing the amount of work to grow quadratically with the number of...
CVE-2026-56669
Elysia (a TypeScript framework for request validation, type inference, OpenAPI docs, and client-server communication) contains a vulnerability (CVE-2026-56669) caused by using getAll in form data normalization for multipart/form-data endpoints prior to 1.4.29. This leads to quadratic growth in wo...
CVE-2026-56669 Elysia: Inefficient Algorithmic Complexity and Interpretation Conflict
Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation, and client-server communication. Prior to 1.4.29, Elysia uses getAll in form data normalization for multipart/form-data endpoints, causing the amount of work to grow quadratically with the number of...
CVE-2026-31865
Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation, and client-server communication. Prior to version 1.4.27, an Elysia cookie can be overridden by prototype pollution , eg. proto. This issue is patched in 1.4.27. As a workaround, use t.Cookie validatio...
CVE-2026-30837
Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation and client-server communication. Prior to 1.4.26 , t.String format: 'url' is vulnerable to ReDoS. Repeating a partial url format protocol and hostname multiple times cause regex to slow down...
CVE-2026-31865
Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation, and client-server communication. Prior to version 1.4.27, an Elysia cookie can be overridden by prototype pollution , eg. proto. This issue is patched in 1.4.27. As a workaround, use t.Cookie validatio...
CVE-2026-31865
Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation, and client-server communication. Prior to version 1.4.27, an Elysia cookie can be overridden by prototype pollution , eg. proto. This issue is patched in 1.4.27. As a workaround, use t.Cookie validatio...
CVE-2026-31865
CVE-2026-31865 affects the Elysia TypeScript framework prior to version 1.4.27, where a cookie value could be overridden via prototype pollution (proto ). The issue is fixed in 1.4.27. Impact described as partial integrity impact with possible cookie manipulation; no exploitation details are prov...
CVE-2026-31865 Elysia Cookie Value Prototype Pollution
Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation, and client-server communication. Prior to version 1.4.27, an Elysia cookie can be overridden by prototype pollution , eg. proto. This issue is patched in 1.4.27. As a workaround, use t.Cookie validatio...
CVE-2026-31865 Elysia Cookie Value Prototype Pollution
Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation, and client-server communication. Prior to version 1.4.27, an Elysia cookie can be overridden by prototype pollution , eg. proto. This issue is patched in 1.4.27. As a workaround, use t.Cookie validatio...
CVE-2026-31865 Elysia Cookie Value Prototype Pollution
Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation, and client-server communication. Prior to version 1.4.27, an Elysia cookie can be overridden by prototype pollution , eg. proto. This issue is patched in 1.4.27. As a workaround, use t.Cookie validatio...
elysia 安全漏洞
Elysia is an open-source framework developed by Elysia. Versions of Elysia prior to 1.4.27 contained security vulnerabilities. These vulnerabilities stemmed from the possibility that Elysia cookies could be contaminated by prototype pollution, which could lead to security issues...
@228-fund/elysia-effect (=0.0.1), @228-fund/elysia-msgpack (>=0.0.1 <=0.0.3) +66 more potentially affected by CVE-2026-31865 via elysia (>=1.0.13 <=1.4.26)
elysia NPM version =1.0.13, =0.0.1, =0.1.0, =0.0.1, =0.0.1, =0.1.0, =0.1.4, =0.1.0, =0.1.0, =1.0.0-next.4, =1.0.0, =0.0.1, =1.0.3, =1.0.8 and more Source cves: CVE-2026-31865 Source advisory: SNYK:JS-ELYSIA-15680180...
@228-fund/elysia-effect (=0.0.1), @228-fund/elysia-msgpack (>=0.0.1 <=0.0.3) +124 more potentially affected by CVE-2026-31865 via elysia (>=0.1.2 <=1.4.26)
elysia NPM version =0.1.2, =0.0.1, =0.0.1, =0.0.7, =0.0.1-0, =0.0.1, =0.0.3, =0.0.1, =0.1.0, =0.0.1, =0.0.1, =0.1.0, =0.1.4, =0.1.0, =1.6.1-canary.0 and more Source cves: CVE-2026-31865 Source advisory: OSV:GHSA-8HQ9-PHH3-P2WP...
Prototype Pollution
Overview elysia is an Ergonomic Framework for Human Affected versions of this package are vulnerable to Prototype Pollution in the Cookie class. An attacker can manipulate application behavior by overriding cookie names with proto. PoC proto=%7B%22injected%22%3A%22polluted%22%7D Details Prototype...
GHSA-8HQ9-PHH3-P2WP Elysia Cookie Value Prototype Pollution
Impact Elysia cookie can be overridden by prototype pollution , eg. proto Sending cookie with the follows name can override cookie value: bash proto=%7B%22injected%22%3A%22polluted%22%7D Patches Patched by 1.4.27 Workarounds 1. Use t.Cookie validation to enforce validation value 2. Prevent iterab...
PT-2026-25974
Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation, and client-server communication. Prior to version 1.4.27, an Elysia cookie can be overridden by prototype pollution , eg. proto . This issue is patched in 1.4.27. As a workaround, use t.Cookie validati...
CVE-2026-30837
Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation and client-server communication. Prior to 1.4.26 , t.String format: 'url' is vulnerable to ReDoS. Repeating a partial url format protocol and hostname multiple times cause regex to slow down...
@228-fund/elysia-effect (=0.0.1), @228-fund/elysia-msgpack (>=0.0.1 <=0.0.3) +64 more potentially affected by CVE-2026-30837 via elysia (>=1.0.13 <=1.4.22)
elysia NPM version =1.0.13, =0.0.1, =0.1.0, =0.0.1, =0.0.1, =0.1.0, =0.1.4, =0.1.0, =0.1.0, =1.0.0-next.4, =1.0.0, =0.0.1, =1.0.3, =1.0.8 and more Source cves: CVE-2026-30837 Source advisory: SNYK:JS-ELYSIA-15469934...
@228-fund/elysia-effect (=0.0.1), @228-fund/elysia-msgpack (>=0.0.1 <=0.0.3) +122 more potentially affected by CVE-2026-30837 via elysia (>=0.1.2 <=1.4.22)
elysia NPM version =0.1.2, =0.0.1, =0.0.1, =0.0.7, =0.0.1-0, =0.0.1, =0.0.3, =0.0.1, =0.1.0, =0.0.1, =0.0.1, =0.1.0, =0.1.4, =0.1.0, =1.6.1-canary.0 and more Source cves: CVE-2026-30837 Source advisory: OSV:GHSA-F45G-68Q3-5W8X...