Typescript Framework Vulnerability in Elysia for Request Validation and API Communication
CVE-2026-56669

7.5HIGH

Key Information:

Vendor

Elysiajs

Status
Vendor
CVE Published:
8 July 2026

What is CVE-2026-56669?

The Elysia framework, a TypeScript solution for request validation and API communication, is susceptible to a vulnerability prior to version 1.4.29. This issue arises from the use of the 'getAll' method during form data normalization for multipart/form-data endpoints. As the number of unique key-value pairs increases, the processing workload grows quadratically, potentially leading to CPU exhaustion. This vulnerability has been addressed in the release of version 1.4.29, enhancing the framework's resilience against such attacks.

Affected Version(s)

elysia < 1.4.29

References

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.