{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31865", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-09T19:02:25.013Z", "datePublished": "2026-03-18T02:50:55.403Z", "dateUpdated": "2026-03-18T18:39:09.024Z"}, "containers": {"cna": {"title": "Elysia Cookie Value Prototype Pollution", "problemTypes": [{"descriptions": [{"cweId": "CWE-1321", "lang": "en", "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/elysiajs/elysia/security/advisories/GHSA-8hq9-phh3-p2wp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/elysiajs/elysia/security/advisories/GHSA-8hq9-phh3-p2wp"}, {"name": "https://github.com/elysiajs/elysia/commit/e9d6b1743fa7368ef942dce181f6a089757f6aab", "tags": ["x_refsource_MISC"], "url": "https://github.com/elysiajs/elysia/commit/e9d6b1743fa7368ef942dce181f6a089757f6aab"}], "affected": [{"vendor": "elysiajs", "product": "elysia", "versions": [{"version": "< 1.4.27", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-18T02:50:55.403Z"}, "descriptions": [{"lang": "en", "value": "Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation, and client-server communication. Prior to version 1.4.27, an Elysia cookie can be overridden by prototype pollution , eg. `__proto__`. This issue is patched in 1.4.27. As a workaround, use t.Cookie validation to enforce validation value and/or prevent iterable over cookie if possible."}], "source": {"advisory": "GHSA-8hq9-phh3-p2wp", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-18T18:36:47.933361Z", "id": "CVE-2026-31865", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-18T18:39:09.024Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-31865", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-18T18:36:47.933361Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-18T18:39:05.576Z"}}], "cna": {"title": "Elysia Cookie Value Prototype Pollution", "source": {"advisory": "GHSA-8hq9-phh3-p2wp", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "elysiajs", "product": "elysia", "versions": [{"status": "affected", "version": "< 1.4.27"}]}], "references": [{"url": "https://github.com/elysiajs/elysia/security/advisories/GHSA-8hq9-phh3-p2wp", "name": "https://github.com/elysiajs/elysia/security/advisories/GHSA-8hq9-phh3-p2wp", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/elysiajs/elysia/commit/e9d6b1743fa7368ef942dce181f6a089757f6aab", "name": "https://github.com/elysiajs/elysia/commit/e9d6b1743fa7368ef942dce181f6a089757f6aab", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation, and client-server communication. Prior to version 1.4.27, an Elysia cookie can be overridden by prototype pollution , eg. `__proto__`. This issue is patched in 1.4.27. As a workaround, use t.Cookie validation to enforce validation value and/or prevent iterable over cookie if possible."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1321", "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-18T02:50:55.403Z"}}}, "cveMetadata": {"cveId": "CVE-2026-31865", "state": "PUBLISHED", "dateUpdated": "2026-03-18T18:39:09.024Z", "dateReserved": "2026-03-09T19:02:25.013Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-18T02:50:55.403Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:elysiajs:elysia:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "D271578B-3D8C-496B-A511-4673FFCB69D5", "versionEndExcluding": "1.4.27", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation, and client-server communication. Prior to version 1.4.27, an Elysia cookie can be overridden by prototype pollution , eg. `__proto__`. This issue is patched in 1.4.27. As a workaround, use t.Cookie validation to enforce validation value and/or prevent iterable over cookie if possible."}, {"lang": "es", "value": "Elysia es un framework de Typescript para la validaci\u00f3n de solicitudes, inferencia de tipos, documentaci\u00f3n OpenAPI y comunicaci\u00f3n cliente-servidor. Antes de la versi\u00f3n 1.4.27, una cookie de Elysia pod\u00eda ser sobrescrita mediante contaminaci\u00f3n de prototipos, p. ej. `__proto__`. Este problema est\u00e1 parcheado en la versi\u00f3n 1.4.27. Como soluci\u00f3n alternativa, use la validaci\u00f3n t.Cookie para forzar el valor de validaci\u00f3n y/o evitar la iteraci\u00f3n sobre la cookie si es posible."}], "id": "CVE-2026-31865", "lastModified": "2026-03-20T17:52:07.900", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-18T04:17:19.393", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/elysiajs/elysia/commit/e9d6b1743fa7368ef942dce181f6a089757f6aab"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Patch", "Vendor Advisory"], "url": "https://github.com/elysiajs/elysia/security/advisories/GHSA-8hq9-phh3-p2wp"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1321"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.4.27)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "elysia", "source": "cna", "vendor": "elysiajs"}, "product": "elysia", "vendor": "elysiajs"}], "analysis": {"en": {"generated_at": "2026-03-20T20:07:32.605716+00:00", "value": {"mitigation_remediation": ["Upgrade Elysia to version 1.4.27 or later", "Enforce strict cookie validation using t.Cookie to block prototype manipulation values", "Review application code to ensure no unvalidated cookie values are used in prototype operations", "Monitor logs for anomalous cookie values or unexpected behavior"], "summary": {"action": "Patch Immediately", "impact": "Remote Code Execution via Prototype Pollution"}, "threat_synthesis": {"affected_systems": "All installations of the Elysia JavaScript framework running version 1.4.26 or earlier are affected. This includes any Node.js application that uses Elysia for cookie parsing or request validation without additional filtering of cookie data.", "description_and_impact": "Elysia, a TypeScript framework for request validation and OpenAPI documentation, has a bug that allows cookie values to be interpreted as prototype keys in versions before 1.4.27. Sending a cookie containing a key such as \"__proto__\" causes the framework to perform prototype pollution, which can overwrite properties on JavaScript\u2019s base Object prototype. If an application later uses those polluted properties, it may lead to arbitrary code execution, privilege escalation, or other unintended behavior. The weakness is classified as CWE\u20111321.", "risk_and_exploitability": "Based on the description, it is inferred that an attacker can craft an HTTP request with a cookie value that includes \"__proto__\" to trigger the vulnerability. No authentication appears to be required for the request itself, though the ultimate impact depends on how the polluted prototype is used by the application. The CVSS score of 6.5 indicates moderate severity, and the EPSS score of less than 1% suggests a low likelihood of current exploitation. The vulnerability is not listed in the CISA KEV catalog. Prototype pollution can enable arbitrary code execution or unauthorized privilege escalation if the polluted properties are later leveraged in application logic."}}}}, "created": "2026-03-18T10:41:59.419669+00:00", "updated": "2026-03-24T10:59:28.875629+00:00", "vendors": ["elysiajs", "elysiajs$PRODUCT$elysia"]}