Elysia vulnerable to prototype pollution with multiple standalone schema validation
- Severity:
- High
Description
Prototype pollution vulnerability in mergeDeep after merging results of two standard schema validations with the same key. Due to the ordering of merging, there must be an any type that is set as a standalone guard, to allow for the __proto__ prop to be merged.
Recommendation
Update the elysia package to the latest compatible version. Followings are version details:
- Affected version(s): >= 1.4.0, < 1.4.17
- Patched version(s): 1.4.17
References
Related Issues
- parse is vulnerable to prototype pollution - CVE-2025-57324
- min-document vulnerable to prototype pollution - CVE-2025-57352
- rollbar vulnerable to Prototype Pollution in merge() - CVE-2025-62517
- rollbar vulnerable to prototype pollution - CVE-2025-57325
- Tags:
- npm
- elysia
Anything's wrong? Let us know Last updated on December 09, 2025