{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-30837", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-05T21:06:44.606Z", "datePublished": "2026-03-10T20:12:14.627Z", "dateUpdated": "2026-03-11T15:33:53.271Z"}, "containers": {"cna": {"title": "Elysia has a string URL format redos", "problemTypes": [{"descriptions": [{"cweId": "CWE-1333", "lang": "en", "description": "CWE-1333: Inefficient Regular Expression Complexity", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/elysiajs/elysia/security/advisories/GHSA-f45g-68q3-5w8x", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/elysiajs/elysia/security/advisories/GHSA-f45g-68q3-5w8x"}, {"name": "https://github.com/EdamAme-x/elysia-poc-redos", "tags": ["x_refsource_MISC"], "url": "https://github.com/EdamAme-x/elysia-poc-redos"}], "affected": [{"vendor": "elysiajs", "product": "elysia", "versions": [{"version": "< 1.4.26", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-10T20:12:14.627Z"}, "descriptions": [{"lang": "en", "value": "Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation and client-server communication. Prior to 1.4.26 , t.String({ format: 'url' }) is vulnerable to ReDoS. Repeating a partial url format (protocol and hostname) multiple times cause regex to slow down significantly. This vulnerability is fixed in 1.4.26."}], "source": {"advisory": "GHSA-f45g-68q3-5w8x", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-11T15:32:36.602461Z", "id": "CVE-2026-30837", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T15:33:53.271Z"}}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:elysiajs:elysia:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "BCA3E495-B827-4E49-9B9A-375FBF6F20B9", "versionEndExcluding": "1.4.26", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation and client-server communication. Prior to 1.4.26 , t.String({ format: 'url' }) is vulnerable to ReDoS. Repeating a partial url format (protocol and hostname) multiple times cause regex to slow down significantly. This vulnerability is fixed in 1.4.26."}, {"lang": "es", "value": "Elysia es un framework de Typescript para validaci\u00f3n de solicitudes, inferencia de tipos, documentaci\u00f3n OpenAPI y comunicaci\u00f3n cliente-servidor. Antes de la 1.4.26, t.String({ format: 'url' }) es vulnerable a ReDoS. Repetir un formato de url parcial (protocolo y nombre de host) varias veces causa que la expresi\u00f3n regular se ralentice significativamente. Esta vulnerabilidad est\u00e1 corregida en la 1.4.26."}], "id": "CVE-2026-30837", "lastModified": "2026-03-20T15:23:08.813", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-10T21:16:47.070", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit"], "url": "https://github.com/EdamAme-x/elysia-poc-redos"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://github.com/elysiajs/elysia/security/advisories/GHSA-f45g-68q3-5w8x"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1333"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.4.26)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "elysia", "source": "cna", "vendor": "elysiajs"}, "product": "elysia", "vendor": "elysiajs"}], "analysis": {"en": {"generated_at": "2026-04-18T09:37:38.635115+00:00", "value": {"mitigation_remediation": ["It is strongly recommended to update Elysia to version 1.4.26 or newer, where the vulnerable regex has been corrected.", "Implement rate limiting on all API endpoints that employ t.String({ format: 'url' }) to reduce the impact of a potential ReDoS attack.", "Validate incoming URLs against a stricter whitelist or length constraint before passing them to the validator, thereby limiting the size of malicious input."], "summary": {"action": "Update Elysia", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Elysia framework (elysiajs:elysia) running on Node.js. All releases prior to version 1.4.26 are susceptible, as the issue is confined to the url format validation logic used for request validation, type inference, OpenAPI documentation, and client\u2011server communication.", "description_and_impact": "The Elysia JavaScript framework contains a vulnerability in the t.String({ format: 'url' }) validator that leads to a Regular Expression Denial of Service. When an attacker repeats a partial URL pattern consisting of the protocol and hostname in a request, the underlying regex consumes excessive CPU resources, causing request processing to stall and the service to become unavailable. This flaw is classified as CWE\u20111333, representing a time\u2011based denial of service attack.", "risk_and_exploitability": "The severity rating of 7.5 indicates high potential damage if exploited, while the probability of exploitation is estimated to be below one percent. The vulnerability is not listed in CISA\u2019s Known Exploited Vulnerabilities catalog. Exploitation is possible by sending crafted URLs to any exposed API endpoint that uses the vulnerable validator; it is inferred that such an attack would not require special privileges and would be a remote denial\u2011of\u2011service attack, but this is not explicitly stated in the CVE description."}}}}, "created": "2026-03-11T11:43:00.106047+00:00", "updated": "2026-04-18T09:45:25.832151+00:00", "vendors": ["elysiajs", "elysiajs$PRODUCT$elysia"]}