Vulnerability Details CVE-2025-66456
Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation and client-server communication. Versions 1.4.0 through 1.4.16 contain a prototype pollution vulnerability in `mergeDeep` after merging results of two standard schema validations with the same key. Due to the ordering of merging, there must be an any type that is set as a standalone guard, to allow for the `__proto__ prop` to be merged. When combined with GHSA-8vch-m3f4-q8jf this allows for a full RCE by an attacker. This issue is fixed in version 1.4.17. To workaround, remove the `__proto__ key` from body.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 20.2%
CVSS Severity
CVSS v3 Score 9.8
References
- https://github.com/elysiajs/elysia/commit/26935bf76ebc43b4a43d48b173fc853de43bb51e
- https://github.com/elysiajs/elysia/commit/3af978663e437dccc6c1a2a3aff4b74e1574849e
- https://github.com/elysiajs/elysia/pull/1564
- https://github.com/elysiajs/elysia/security/advisories/GHSA-8vch-m3f4-q8jf
- https://github.com/elysiajs/elysia/security/advisories/GHSA-hxj9-33pp-j2cc
- https://github.com/elysiajs/elysia/security/advisories/GHSA-8vch-m3f4-q8jf
- https://github.com/elysiajs/elysia/security/advisories/GHSA-hxj9-33pp-j2cc
Products affected by CVE-2025-66456
-
cpe:2.3:a:elysiajs:elysia:1.4.0
-
cpe:2.3:a:elysiajs:elysia:1.4.1
-
cpe:2.3:a:elysiajs:elysia:1.4.10
-
cpe:2.3:a:elysiajs:elysia:1.4.11
-
cpe:2.3:a:elysiajs:elysia:1.4.12
-
cpe:2.3:a:elysiajs:elysia:1.4.13
-
cpe:2.3:a:elysiajs:elysia:1.4.14
-
cpe:2.3:a:elysiajs:elysia:1.4.15
-
cpe:2.3:a:elysiajs:elysia:1.4.16
-
cpe:2.3:a:elysiajs:elysia:1.4.2
-
cpe:2.3:a:elysiajs:elysia:1.4.3
-
cpe:2.3:a:elysiajs:elysia:1.4.4
-
cpe:2.3:a:elysiajs:elysia:1.4.5
-
cpe:2.3:a:elysiajs:elysia:1.4.6
-
cpe:2.3:a:elysiajs:elysia:1.4.7
-
cpe:2.3:a:elysiajs:elysia:1.4.8
-
cpe:2.3:a:elysiajs:elysia:1.4.9