Description
Elysia cookie can be overridden by prototype pollution , eg. __proto__
Recommendation
Update the elysia package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.4.27
- Patched version(s): 1.4.27
References
Related Issues
- devalue has prototype pollution in devalue.parse and devalue.unflatten - CVE-2026-30226
- Parse Server vulnerable to schema poisoning via prototype pollution in deep copy - CVE-2026-32878
- seroval Affected by Prototype Pollution via JSON Deserialization - CVE-2026-23736
- Immutable is vulnerable to Prototype Pollution - CVE-2026-29063
- Tags:
- npm
- elysia
Anything's wrong? Let us know Last updated on March 22, 2026