CVE-2026-31865

Summary

Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation, and client-server communication. Prior to version 1.4.27, an Elysia cookie can be overridden by prototype pollution , eg. __proto__. This issue is patched in 1.4.27. As a workaround, use t.Cookie validation to enforce validation value and/or prevent iterable over cookie if possible.

Affected Software

VendorProductVersion RangeStatus
elysiajselysia< 1.4.27affected

Weaknesses

  • CWE-1321: CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References