Description
Elysia cookie can be overridden by prototype pollution , eg. __proto__
Recommendation
Update the elysia package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.4.27
- Patched version(s): 1.4.27
References
Related Issues
- JavaScript Cookie: Per-instance prototype hijack in assign() enables cookie-attribute injection - CVE-2026-46625
- @nevware21/ts-utils: Prototype Pollution in objDeepCopy/objCopyProps via for...in without hasOwnProperty - CVE-2026-46681
- seroval Affected by Prototype Pollution via JSON Deserialization - CVE-2026-23736
- i18next-http-middleware: Prototype pollution and path traversal via user-controlled language and namespace parameters - CVE-2026-41690
You might also like:
- Tags:
- npm
- elysia
Anything's wrong? Let us know Last updated on March 22, 2026