Prototype Pollution Vulnerability in Elysia Framework by Elysia JS
CVE-2026-31865

6.5MEDIUM

Key Information:

Vendor: Elysiajs
Status: Elysia
Vendor: CVE Published:; 18 March 2026

What is CVE-2026-31865?

The Elysia framework, a popular Typescript tool for request validation and client-server communication, is susceptible to a prototype pollution issue that allows an Elysia cookie to be unintentionally overridden. This vulnerability arises when malicious inputs alter the prototype of an object, impacting the integrity of cookies processed by the framework. Users are encouraged to update to version 1.4.27 or higher, where the issue has been patched. Alternatively, employing t.Cookie validation can mitigate risks by enforcing stringent validation of cookie values and preventing iteration over cookies when applicable.

Affected Version(s)

elysia < 1.4.27

References

https://github.com/elysiajs/elysia/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/elysiajs/elysia/commit/e9d6b1743fa7368...

x_refsource_MISC

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 18, 2026
Vulnerability Reserved
Mar 9, 2026

CVE-2026-31865 Data

JSON

Elysiajs

What is CVE-2026-31865?

Affected Version(s)

References

CVSS V3.1

Timeline