Elysiajs Elysia vulnerabilities

CVE-2026-31865 [MEDIUM] CWE-1321 CVE-2026-31865: Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation, and Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation, and client-server communication. Prior to version 1.4.27, an Elysia cookie can be overridden by prototype pollution , eg. `__proto__`. This issue is patched in 1.4.27. As a workaround, use t.Cookie validation to enforce validation value and/or prevent ite

CVE-2026-30837 [HIGH] CWE-1333 CVE-2026-30837: Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation and c Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation and client-server communication. Prior to 1.4.26 , t.String({ format: 'url' }) is vulnerable to ReDoS. Repeating a partial url format (protocol and hostname) multiple times cause regex to slow down significantly. This vulnerability is fixed in 1.4.26.

CVE-2025-66456 [CRITICAL] CWE-1321 CVE-2025-66456: Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation and c Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation and client-server communication. Versions 1.4.0 through 1.4.16 contain a prototype pollution vulnerability in `mergeDeep` after merging results of two standard schema validations with the same key. Due to the ordering of merging, there must be an any ty

CVE-2025-66457 [HIGH] CWE-94 CVE-2025-66457: Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation and c Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation and client-server communication. Versions 1.4.17 and below are subject to arbitrary code execution from cookie config. When dynamic cookies are enabled (e.g. there an existing cookie schema), the cookie config is injected into the compiled route without first