CVE-2026-31865 | THREATINT

Description

Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation, and client-server communication. Prior to version 1.4.27, an Elysia cookie can be overridden by prototype pollution , eg. `__proto__`. This issue is patched in 1.4.27. As a workaround, use t.Cookie validation to enforce validation value and/or prevent iterable over cookie if possible.

PUBLISHED Reserved 2026-03-09 | Published 2026-03-18 | Updated 2026-03-18 | Assigner GitHub_M

MEDIUM: 6.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Problem types

CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Product status

< 1.4.27

affected

References

github.com/...elysia/security/advisories/GHSA-8hq9-phh3-p2wp

github.com/...ommit/e9d6b1743fa7368ef942dce181f6a089757f6aab

cve.org (CVE-2026-31865)

nvd.nist.gov (CVE-2026-31865)

Download JSON