GHSA-hxj9-33pp-j2cc
Suggest an improvement- Source
- https://github.com/advisories/GHSA-hxj9-33pp-j2cc
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-hxj9-33pp-j2cc/GHSA-hxj9-33pp-j2cc.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-hxj9-33pp-j2cc
- Aliases
- Related
- Published
- 2025-12-09T17:11:53Z
- Modified
- 2026-02-04T03:31:17.532002Z
- Severity
-
- 9.1 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Elysia vulnerable to prototype pollution with multiple standalone schema validation
- Details
-
Prototype pollution vulnerability in
mergeDeepafter merging results of two standard schema validations with the same key. Due to the ordering of merging, there must be ananytype that is set as astandaloneguard, to allow for the__proto__prop to be merged.When combined with GHSA-8vch-m3f4-q8jf this allows for a full RCE by an attacker.
Impact
Routes with more than 2 standalone schema validation, eg. zod
Example vulnerable code:
import { Elysia } from "elysia" import * as z from "zod" const app = new Elysia() .guard({ schema: "standalone", body: z.object({ data: z.any() }) }) .post("/", ({ body }) => ({ body, win: {}.foo }), { body: z.object({ data: z.object({ messageId: z.string("pollute-me"), }) }) })Patches
Patched by 1.4.17 (https://github.com/elysiajs/elysia/pull/1564)
Reference commit: - https://github.com/elysiajs/elysia/pull/1564/commits/26935bf76ebc43b4a43d48b173fc853de43bb51e - https://github.com/elysiajs/elysia/pull/1564/commits/3af978663e437dccc6c1a2a3aff4b74e1574849e
Workarounds
Remove
__proto__key from bodyExample plugin for removing
__proto__from bodynew Elysia() .onTransform(({ body, headers }) => { if (headers['content-type'] === 'application/json') return JSON.parse(JSON.stringify(body), (k, v) => { if (k === '__proto__') return return v }) }) - Database specific
{ "github_reviewed": true, "nvd_published_at": "2025-12-09T20:15:54Z", "cwe_ids": [ "CWE-1321" ], "github_reviewed_at": "2025-12-09T17:11:53Z", "severity": "CRITICAL" }- References
-
- https://github.com/elysiajs/elysia/security/advisories/GHSA-8vch-m3f4-q8jf
- https://github.com/elysiajs/elysia/security/advisories/GHSA-hxj9-33pp-j2cc
- https://nvd.nist.gov/vuln/detail/CVE-2025-66456
- https://github.com/elysiajs/elysia/pull/1564
- https://github.com/elysiajs/elysia/commit/26935bf76ebc43b4a43d48b173fc853de43bb51e
- https://github.com/elysiajs/elysia/commit/3af978663e437dccc6c1a2a3aff4b74e1574849e
- https://github.com/elysiajs/elysia
- https://github.com/sportshead/elysia-poc
Affected packages
npm / elysia
Package
- Name
- elysia
- View open source insights on deps.dev
- Purl
- pkg:npm/elysia