CVE-2026-31865 - Vulnerability Details

- Elysia Cookie Value Prototype Pollution

Description

Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation, and client-server communication. Prior to version 1.4.27, an Elysia cookie can be overridden by prototype pollution , eg. `__proto__`. This issue is patched in 1.4.27. As a workaround, use t.Cookie validation to enforce validation value and/or prevent iterable over cookie if possible.

Published: 2026-03-18

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Elysia, a TypeScript framework for request validation and OpenAPI documentation, has a bug that allows cookie values to be interpreted as prototype keys in versions before 1.4.27. Sending a cookie containing a key such as "__proto__" causes the framework to perform prototype pollution, which can overwrite properties on JavaScript’s base Object prototype. If an application later uses those polluted properties, it may lead to arbitrary code execution, privilege escalation, or other unintended behavior. The weakness is classified as CWE‑1321.

Affected Systems

All installations of the Elysia JavaScript framework running version 1.4.26 or earlier are affected. This includes any Node.js application that uses Elysia for cookie parsing or request validation without additional filtering of cookie data.

Risk and Exploitability

Based on the description, it is inferred that an attacker can craft an HTTP request with a cookie value that includes "__proto__" to trigger the vulnerability. No authentication appears to be required for the request itself, though the ultimate impact depends on how the polluted prototype is used by the application. The CVSS score of 6.5 indicates moderate severity, and the EPSS score of less than 1% suggests a low likelihood of current exploitation. The vulnerability is not listed in the CISA KEV catalog. Prototype pollution can enable arbitrary code execution or unauthorized privilege escalation if the polluted properties are later leveraged in application logic.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

elysiajs

elysia

affected

Version	Status	Constraints
`< 1.4.27`	affected	—

Configuration 1 [-]

cpe:2.3:a:elysiajs:elysia:*:*:*:*:*:node.js:*:*

No data.

Vendor Product Confidence Versions

Elysiajs

Elysia

100%

Version	Status	Scheme	Platform
`[0,1.4.27)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Elysia to version 1.4.27 or later
Enforce strict cookie validation using t.Cookie to block prototype manipulation values
Review application code to ensure no unvalidated cookie values are used in prototype operations
Monitor logs for anomalous cookie values or unexpected behavior

Generated by OpenCVE AI on March 20, 2026 at 20:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-8hq9-phh3-p2wp	Elysia Cookie Value Prototype Pollution

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00021.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/elysiajs/elysia/commit/e9d6b1743fa7368ef942dce181f6a089757f6aab
https://github.com/elysiajs/elysia/security/advisories/GHSA-8hq9-phh3-p2wp

History

Fri, 20 Mar 2026 18:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:elysiajs:elysia::::::node.js::*

Wed, 18 Mar 2026 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 18 Mar 2026 12:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Elysiajs Elysiajs elysia
Vendors & Products		Elysiajs Elysiajs elysia

Wed, 18 Mar 2026 03:30:00 +0000

Type	Values Removed	Values Added
Description		Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation, and client-server communication. Prior to version 1.4.27, an Elysia cookie can be overridden by prototype pollution , eg. `__proto__`. This issue is patched in 1.4.27. As a workaround, use t.Cookie validation to enforce validation value and/or prevent iterable over cookie if possible.
Title		Elysia Cookie Value Prototype Pollution
Weaknesses		CWE-1321
References		https://github.com/elysiajs/elysia/commit/e9d6b1743fa7368ef942dce181f6a089757f6aab https://github.com/elysiajs/elysia/security/advisories/GHSA-8hq9-phh3-p2wp
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}`

Subscriptions

Elysiajs Elysia

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-18T02:50:55.403Z

Updated: 2026-03-18T18:39:09.024Z

Reserved: 2026-03-09T19:02:25.013Z

Link: CVE-2026-31865

Vulnrichment

Updated: 2026-03-18T18:39:05.576Z

NVD

Status : Analyzed

Published: 2026-03-18T04:17:19.393

Modified: 2026-03-20T17:52:07.900

Link: CVE-2026-31865

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-24T10:59:28Z

Weaknesses

CWE-1321

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object