CVE-2026-30837Regex Denial of Service in Elysia

CWE-1333Regex Denial of Service5 documents5 sources
Severity
7.5HIGHNVD
EPSS
0.0%
top 94.91%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Elysiajs Elysia
Timeline
PublishedMar 10

Description

Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation and client-server communication. Prior to 1.4.26 , t.String({ format: 'url' }) is vulnerable to ReDoS. Repeating a partial url format (protocol and hostname) multiple times cause regex to slow down significantly. This vulnerability is fixed in 1.4.26.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

CVEListV5elysiajs/elysia< 1.4.26
NVDelysiajs/elysia< 1.4.26
npmelysiajs/elysia< 1.4.26

🔴Vulnerability Details

3
CVEList
Elysia has a string URL format redos2026-03-10
GHSA
Elysia has a string URL format ReDoS2026-03-10
OSV
Elysia has a string URL format ReDoS2026-03-10

🕵️Threat Intelligence

1
Wiz
CVE-2026-30837 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-30837 — Regex Denial of Service in Elysia | cvebase