CVE-2026-30837

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-30837
Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation and client-server communication. Prior to 1.4.26 , t.String({ format: 'url' }) is vulnerable to ReDoS. Repeating a partial url format (protocol and hostname) multiple times cause regex to slow down significantly. This vulnerability is fixed in 1.4.26.

7.5 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/EdamAme-x/elysia-poc-redos Exploit
https://github.com/elysiajs/elysia/security/advisories/GHSA-f45g-68q3-5w8x Mitigation Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:elysiajs:elysia:*:*:*:*:*:node.js:*:*
History

20 Mar 2026, 15:23

Type Values Removed Values Added
CPE cpe:2.3:a:elysiajs:elysia:*:*:*:*:*:node.js:*:*
First Time Elysiajs
Elysiajs elysia
References () https://github.com/EdamAme-x/elysia-poc-redos - () https://github.com/EdamAme-x/elysia-poc-redos - Exploit
References () https://github.com/elysiajs/elysia/security/advisories/GHSA-f45g-68q3-5w8x - () https://github.com/elysiajs/elysia/security/advisories/GHSA-f45g-68q3-5w8x - Mitigation, Vendor Advisory

11 Mar 2026, 13:52

Type Values Removed Values Added
Summary
  • (es) Elysia es un framework de Typescript para validación de solicitudes, inferencia de tipos, documentación OpenAPI y comunicación cliente-servidor. Antes de la 1.4.26, t.String({ format: 'url' }) es vulnerable a ReDoS. Repetir un formato de url parcial (protocolo y nombre de host) varias veces causa que la expresión regular se ralentice significativamente. Esta vulnerabilidad está corregida en la 1.4.26.

10 Mar 2026, 21:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-03-10 21:16

Updated : 2026-03-20 15:23

NVD link : CVE-2026-30837

Mitre link : CVE-2026-30837

CVE.ORG link : CVE-2026-30837

JSON object : View

Products Affected

elysiajs

  • elysia
CWE
CWE-1333

Inefficient Regular Expression Complexity