CVE-2026-30837
published 2026-03-10CVE-2026-30837: Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation and client-server communication. Prior to 1.4.26 , t.String({…
PriorityP344high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.49%
38.7th percentile
Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation and client-server communication. Prior to 1.4.26 , t.String({ format: 'url' }) is vulnerable to ReDoS. Repeating a partial url format (protocol and hostname) multiple times cause regex to slow down significantly. This vulnerability is fixed in 1.4.26.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| elysiajs | elysia | < 1.4.26 | 1.4.26 |
| elysiajs | elysia | >= 0 < 1.4.26 | 1.4.26 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Elysia has a string URL format ReDoS
ghsa·2026-03-10
CVE-2026-30837 [HIGH] CWE-1333 Elysia has a string URL format ReDoS
Elysia has a string URL format ReDoS
### Impact
`t.String({ format: 'url' })` is vulnerable to redos
Repeating a partial url format (protocol and hostname) multiple times cause regex to slow down significantly
```js
'http://a'.repeat(n)
```
Here's a table demonstrating how long it takes to process repeated partial url format
| `n` repeat | elapsed_ms |
| --- | --- |
| 1024 | 33.993 |
| 2048 | 134.357 |
| 4096 | 537.608 |
| 8192 | 2155.842 |
| 16384 | 8618.457 |
| 32768 | 34604.139 |
### Patches
Patched by 1.4.26, please kindly update `elysia` to >= 1.4.26
Here's how long it takes after the patch
| `n` repeat | elapsed_ms |
| --- | --- |
| 1024 | 0.194 |
| 2048 | 0.274 |
| 4096 | 0.455 |
| 8192 | 0.831 |
| 16384 | 1.632 |
| 32768 | 3.052 |
### Workarounds
1. It's recommended to always
OSV
Elysia has a string URL format ReDoS
osv·2026-03-10
CVE-2026-30837 [HIGH] Elysia has a string URL format ReDoS
Elysia has a string URL format ReDoS
### Impact
`t.String({ format: 'url' })` is vulnerable to redos
Repeating a partial url format (protocol and hostname) multiple times cause regex to slow down significantly
```js
'http://a'.repeat(n)
```
Here's a table demonstrating how long it takes to process repeated partial url format
| `n` repeat | elapsed_ms |
| --- | --- |
| 1024 | 33.993 |
| 2048 | 134.357 |
| 4096 | 537.608 |
| 8192 | 2155.842 |
| 16384 | 8618.457 |
| 32768 | 34604.139 |
### Patches
Patched by 1.4.26, please kindly update `elysia` to >= 1.4.26
Here's how long it takes after the patch
| `n` repeat | elapsed_ms |
| --- | --- |
| 1024 | 0.194 |
| 2048 | 0.274 |
| 4096 | 0.455 |
| 8192 | 0.831 |
| 16384 | 1.632 |
| 32768 | 3.052 |
### Workarounds
1. It's recommended to always
No detection rules found.
No public exploits indexed.
2026-03-10
Published