CVE-2026-31865

Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation, and client-server communication. Prior to version 1.4.27, an Elysia cookie can be overridden by prototype pollution , eg. `__proto__`. This issue is patched in 1.4.27. As a workaround, use t.Cookie validation to enforce validation value and/or prevent iterable over cookie if possible.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/elysiajs/elysia/commit/e9d6b1743fa7368ef942dce181f6a089757f6aab	Patch
https://github.com/elysiajs/elysia/security/advisories/GHSA-8hq9-phh3-p2wp	Mitigation Patch Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:elysiajs:elysia:*:*:*:*:*:node.js:*:*

History

20 Mar 2026, 17:52

Type	Values Removed	Values Added
CPE		cpe:2.3:a:elysiajs:elysia::::::node.js::*
First Time		Elysiajs Elysiajs elysia
References	~~() https://github.com/elysiajs/elysia/commit/e9d6b1743fa7368ef942dce181f6a089757f6aab -~~	() https://github.com/elysiajs/elysia/commit/e9d6b1743fa7368ef942dce181f6a089757f6aab - Patch
References	~~() https://github.com/elysiajs/elysia/security/advisories/GHSA-8hq9-phh3-p2wp -~~	() https://github.com/elysiajs/elysia/security/advisories/GHSA-8hq9-phh3-p2wp - Mitigation, Patch, Vendor Advisory

18 Mar 2026, 14:52

Type	Values Removed	Values Added
Summary		(es) Elysia es un framework de Typescript para la validación de solicitudes, inferencia de tipos, documentación OpenAPI y comunicación cliente-servidor. Antes de la versión 1.4.27, una cookie de Elysia podía ser sobrescrita mediante contaminación de prototipos, p. ej. `__proto__`. Este problema está parcheado en la versión 1.4.27. Como solución alternativa, use la validación t.Cookie para forzar el valor de validación y/o evitar la iteración sobre la cookie si es posible.

18 Mar 2026, 04:17

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-18 04:17

Updated : 2026-03-20 17:52

NVD link : CVE-2026-31865

Mitre link : CVE-2026-31865

CVE.ORG link : CVE-2026-31865

JSON object : View

Products Affected

elysiajs

elysia

CWE

CWE-1321

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

6.5 /10