VYPR

npm package

elysia

pkg:npm/elysia

Vulnerabilities (4)

  • CVE-2026-31865Mar 18, 2026
    affected < 1.4.27fixed 1.4.27

    Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation, and client-server communication. Prior to version 1.4.27, an Elysia cookie can be overridden by prototype pollution , eg. `__proto__`. This issue is patched in 1.4.27. As a workaround,

  • CVE-2026-30837Mar 10, 2026
    affected < 1.4.26fixed 1.4.26

    Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation and client-server communication. Prior to 1.4.26 , t.String({ format: 'url' }) is vulnerable to ReDoS. Repeating a partial url format (protocol and hostname) multiple times cause regex

  • CVE-2025-66457Dec 9, 2025
    affected < 1.4.18fixed 1.4.18

    Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation and client-server communication. Versions 1.4.17 and below are subject to arbitrary code execution from cookie config. When dynamic cookies are enabled (e.g. there an existing cookie s

  • CVE-2025-66456Dec 9, 2025
    affected >= 1.4.0, < 1.4.17fixed 1.4.17

    Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation and client-server communication. Versions 1.4.0 through 1.4.16 contain a prototype pollution vulnerability in `mergeDeep` after merging results of two standard schema validations with t