Description
Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation and client-server communication. Versions 1.4.0 through 1.4.16 contain a prototype pollution vulnerability in `mergeDeep` after merging results of two standard schema validations with the same key. Due to the ordering of merging, there must be an any type that is set as a standalone guard, to allow for the `__proto__ prop` to be merged. When combined with GHSA-8vch-m3f4-q8jf this allows for a full RCE by an attacker. This issue is fixed in version 1.4.17. To workaround, remove the `__proto__ key` from body.
Problem types
CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Product status
References
github.com/...elysia/security/advisories/GHSA-hxj9-33pp-j2cc
github.com/...elysia/security/advisories/GHSA-8vch-m3f4-q8jf
github.com/...elysia/security/advisories/GHSA-hxj9-33pp-j2cc
github.com/...elysia/security/advisories/GHSA-8vch-m3f4-q8jf
github.com/elysiajs/elysia/pull/1564
github.com/...ommit/26935bf76ebc43b4a43d48b173fc853de43bb51e
github.com/...ommit/3af978663e437dccc6c1a2a3aff4b74e1574849e
