npm package
elysia
pkg:npm/elysia
Vulnerabilities (4)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-31865 | — | < 1.4.27 | 1.4.27 | Mar 18, 2026 | Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation, and client-server communication. Prior to version 1.4.27, an Elysia cookie can be overridden by prototype pollution , eg. `__proto__`. This issue is patched in 1.4.27. As a workaround, | ||
| CVE-2026-30837 | — | < 1.4.26 | 1.4.26 | Mar 10, 2026 | Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation and client-server communication. Prior to 1.4.26 , t.String({ format: 'url' }) is vulnerable to ReDoS. Repeating a partial url format (protocol and hostname) multiple times cause regex | ||
| CVE-2025-66457 | — | < 1.4.18 | 1.4.18 | Dec 9, 2025 | Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation and client-server communication. Versions 1.4.17 and below are subject to arbitrary code execution from cookie config. When dynamic cookies are enabled (e.g. there an existing cookie s | ||
| CVE-2025-66456 | — | >= 1.4.0, < 1.4.17 | 1.4.17 | Dec 9, 2025 | Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation and client-server communication. Versions 1.4.0 through 1.4.16 contain a prototype pollution vulnerability in `mergeDeep` after merging results of two standard schema validations with t |
- CVE-2026-31865Mar 18, 2026affected < 1.4.27fixed 1.4.27
Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation, and client-server communication. Prior to version 1.4.27, an Elysia cookie can be overridden by prototype pollution , eg. `__proto__`. This issue is patched in 1.4.27. As a workaround,
- CVE-2026-30837Mar 10, 2026affected < 1.4.26fixed 1.4.26
Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation and client-server communication. Prior to 1.4.26 , t.String({ format: 'url' }) is vulnerable to ReDoS. Repeating a partial url format (protocol and hostname) multiple times cause regex
- CVE-2025-66457Dec 9, 2025affected < 1.4.18fixed 1.4.18
Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation and client-server communication. Versions 1.4.17 and below are subject to arbitrary code execution from cookie config. When dynamic cookies are enabled (e.g. there an existing cookie s
- CVE-2025-66456Dec 9, 2025affected >= 1.4.0, < 1.4.17fixed 1.4.17
Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation and client-server communication. Versions 1.4.0 through 1.4.16 contain a prototype pollution vulnerability in `mergeDeep` after merging results of two standard schema validations with t