Prototype Pollution in Elysiajs Elysia

CVE-2025-66456

Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation and client-server communication. Versions 1.4.0 through 1.4.16 contain a prototype pollution vulnerability in `mergeDeep` after merging results…

Vulnerability class: Prototype Pollution

EPSS: 0.002 (48.4th percentile) — read the EPSS interpretation.

Affected products

Elysiajs Elysia — versions >= 1.4.0, < 1.4.17

Weakness classification (CWE)

CWE-1321 — Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution)

References

https://github.com/elysiajs/elysia/security/advisories/GHSA-hxj9-33pp-j2cc (x_refsource_CONFIRM)
https://github.com/elysiajs/elysia/security/advisories/GHSA-8vch-m3f4-q8jf (x_refsource_MISC)
https://github.com/elysiajs/elysia/pull/1564 (x_refsource_MISC)
https://github.com/elysiajs/elysia/commit/26935bf76ebc43b4a43d48b173fc853de43bb51e (x_refsource_MISC)
https://github.com/elysiajs/elysia/commit/3af978663e437dccc6c1a2a3aff4b74e1574849e (x_refsource_MISC)