CVE-2025-66456
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-09

Last updated on: 2025-12-17

Assigner: GitHub, Inc.

Description
Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation and client-server communication. Versions 1.4.0 through 1.4.16 contain a prototype pollution vulnerability in `mergeDeep` after merging results of two standard schema validations with the same key. Due to the ordering of merging, there must be an any type that is set as a standalone guard, to allow for the `__proto__ prop` to be merged. When combined with GHSA-8vch-m3f4-q8jf this allows for a full RCE by an attacker. This issue is fixed in version 1.4.17. To workaround, remove the `__proto__ key` from body.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-09
Last Modified
2025-12-17
Generated
2026-05-07
AI Q&A
2025-12-09
EPSS Evaluated
2026-05-05
NVD
CVE-2025-66456
EUVD
EUVD-2025-202180
Affected Vendors & Products
Showing 19 associated CPEs
Vendor Product Version / Range
elysiajs elysia From 1.4.0 (inc) to 1.4.17 (inc)
elysia elysia 1.4.11
elysia elysia 1.4.3
elysia elysia 1.4.5
elysia elysia 1.4.1
elysia elysia 1.4.14
elysia elysia 1.4.16
elysia elysia 1.4.17
elysia elysia 1.4.8
elysia elysia 1.4.10
elysia elysia 1.4.12
elysia elysia 1.4.0
elysia elysia 1.4.9
elysia elysia 1.4.13
elysia elysia 1.4.6
elysia elysia 1.4.7
elysia elysia 1.4.15
elysia elysia 1.4.2
elysia elysia 1.4.4
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1321 The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a prototype pollution issue in the Elysia Typescript framework versions 1.4.0 through 1.4.16. It occurs in the `mergeDeep` function when merging results of two standard schema validations with the same key, allowing the `__proto__` property to be merged due to the presence of an 'any' type used as a standalone guard. This can be exploited, especially when combined with another vulnerability (GHSA-8vch-m3f4-q8jf), to achieve full remote code execution (RCE) by an attacker. The issue is fixed in version 1.4.17, and a workaround is to remove the `__proto__` key from the request body.


How can this vulnerability impact me? :

This vulnerability can allow an attacker to perform remote code execution (RCE) on systems using vulnerable versions of the Elysia framework. This means an attacker could execute arbitrary code remotely, potentially leading to full system compromise, data theft, or disruption of services.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, upgrade Elysia to version 1.4.17 or later. As a workaround, remove the `__proto__` key from the request body to prevent prototype pollution.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart