CVE-2025-66456 — Prototype Pollution in Elysia

CWE-1321 — Prototype Pollution5 documents5 sources

Severity

9.1CRITICALNVD

EPSS

0.2%

top 57.93%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Elysiajs Elysia

Timeline

PublishedDec 9

Description

Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation and client-server communication. Versions 1.4.0 through 1.4.16 contain a prototype pollution vulnerability in `mergeDeep` after merging results of two standard schema validations with the same key. Due to the ordering of merging, there must be an any type that is set as a standalone guard, to allow for the `__proto__ prop` to be merged. When combined with GHSA-8vch-m3f4-q8jf this allows for a full RCE …

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Affected Packages3 packages

▶NVDelysiajs/elysia1.4.0 — 1.4.17

▶npmelysiajs/elysia1.4.0 — 1.4.17

▶CVEListV5elysiajs/elysia>= 1.4.0, < 1.4.17

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Elysia vulnerable to prototype pollution with multiple standalone schema validation↗2025-12-09

▶

CVEList

Elysia vulnerable to prototype pollution with multiple standalone schema validation↗2025-12-09

▶

GHSA

Elysia vulnerable to prototype pollution with multiple standalone schema validation↗2025-12-09

▶

🕵️Threat Intelligence

Wiz

CVE-2025-66456 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶