CVE-2025-66456
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-09

Last updated on: 2025-12-17

Assigner: GitHub, Inc.

Description
Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation and client-server communication. Versions 1.4.0 through 1.4.16 contain a prototype pollution vulnerability in `mergeDeep` after merging results of two standard schema validations with the same key. Due to the ordering of merging, there must be an any type that is set as a standalone guard, to allow for the `__proto__ prop` to be merged. When combined with GHSA-8vch-m3f4-q8jf this allows for a full RCE by an attacker. This issue is fixed in version 1.4.17. To workaround, remove the `__proto__ key` from body.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-09
Last Modified
2025-12-17
Generated
2026-06-16
AI Q&A
2025-12-09
EPSS Evaluated
2026-06-15
NVD
CVE-2025-66456
EUVD
EUVD-2025-202180
Affected Vendors & Products
Showing 19 associated CPEs
Vendor Product Version / Range
elysiajs elysia From 1.4.0 (inc) to 1.4.17 (inc)
elysia elysia 1.4.11
elysia elysia 1.4.3
elysia elysia 1.4.5
elysia elysia 1.4.1
elysia elysia 1.4.14
elysia elysia 1.4.16
elysia elysia 1.4.17
elysia elysia 1.4.8
elysia elysia 1.4.10
elysia elysia 1.4.12
elysia elysia 1.4.0
elysia elysia 1.4.9
elysia elysia 1.4.13
elysia elysia 1.4.6
elysia elysia 1.4.7
elysia elysia 1.4.15
elysia elysia 1.4.2
elysia elysia 1.4.4
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1321 The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a prototype pollution issue in the Elysia Typescript framework versions 1.4.0 through 1.4.16. It occurs in the `mergeDeep` function when merging results of two standard schema validations with the same key, allowing the `__proto__` property to be merged due to the presence of an 'any' type used as a standalone guard. This can be exploited, especially when combined with another vulnerability (GHSA-8vch-m3f4-q8jf), to achieve full remote code execution (RCE) by an attacker. The issue is fixed in version 1.4.17, and a workaround is to remove the `__proto__` key from the request body.

Impact Analysis

This vulnerability can allow an attacker to perform remote code execution (RCE) on systems using vulnerable versions of the Elysia framework. This means an attacker could execute arbitrary code remotely, potentially leading to full system compromise, data theft, or disruption of services.

Mitigation Strategies

To mitigate this vulnerability, upgrade Elysia to version 1.4.17 or later. As a workaround, remove the `__proto__` key from the request body to prevent prototype pollution.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-66456. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart