Elysia vulnerable to prototype pollution with multiple standalone schema validation
- Severity:
- High
Description
Prototype pollution vulnerability in mergeDeep after merging results of two standard schema validations with the same key. Due to the ordering of merging, there must be an any type that is set as a standalone guard, to allow for the __proto__ prop to be merged.
Recommendation
Update the elysia package to the latest compatible version. Followings are version details:
- Affected version(s): >= 1.4.0, < 1.4.17
- Patched version(s): 1.4.17
References
Related Issues
- Elysia affected by arbitrary code injection through cookie config - CVE-2025-66457
- @plone/volto vulnerable to potential DoS by invoking specific URL by anonymous user - CVE-2025-61668
- Solid Lacks Escaping of HTML in JSX Fragments allows for Cross-Site Scripting (XSS) - CVE-2025-27109
- Systeminformation has command injection vulnerability in getWindowsIEEE8021x (SSID) - CVE-2024-56334
- Tags:
- npm
- elysia
Anything's wrong? Let us know Last updated on December 09, 2025