Description
t.String({ format: 'url' }) is vulnerable to redos
Repeating a partial url format (protocol and hostname) multiple times cause regex to slow down significantly
Here’s a table demonstrating how long it takes to process repeated partial url format | n repeat | elapsed_ms | | — | — | | 1024 | 33.993 | | 2048 | 134.357 | | 4096 | 537.
Recommendation
Update the elysia package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.4.26
- Patched version(s): 1.4.26
References
Related Issues
- tarteaucitron.js has Regular Expression Denial of Service (ReDoS) vulnerability - CVE-2026-22809
- markdown-it is has a Regular Expression Denial of Service (ReDoS) - CVE-2026-2327
- SCEditor has DOM XSS via emoticon URL/HTML injection - CVE-2026-25581
- Kysely has a MySQL SQL Injection via Insufficient Backslash Escaping in `sql.lit(string)` usage or similar methods that - CVE-2026-33468
- Tags:
- npm
- elysia
Anything's wrong? Let us know Last updated on March 10, 2026