Description
t.String({ format: 'url' }) is vulnerable to redos
Repeating a partial url format (protocol and hostname) multiple times cause regex to slow down significantly
Here’s a table demonstrating how long it takes to process repeated partial url format | n repeat | elapsed_ms | | — | — | | 1024 | 33.993 | | 2048 | 134.357 | | 4096 | 537.
Recommendation
Update the elysia package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.4.26
- Patched version(s): 1.4.26
References
Related Issues
- SCEditor has DOM XSS via emoticon URL/HTML injection - CVE-2026-25581
- DbGate has cross site scripting via the SVG Icon String Handler component - CVE-2026-6216
- tarteaucitron.js has Regular Expression Denial of Service (ReDoS) vulnerability - CVE-2026-22809
- qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays - CVE-2026-8723
You might also like:
- Tags:
- npm
- elysia
Anything's wrong? Let us know Last updated on March 10, 2026