CVE-2026-31865
Prototype Pollution in Elysia Cookies Allows Cookie Override
Publication date: 2026-03-18
Last updated on: 2026-03-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| elysiajs | elysia | to 1.4.27 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1321 | The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-31865 is a prototype pollution vulnerability in the Elysia Typescript framework affecting versions prior to 1.4.27. The issue arises because the cookie parsing functionality does not properly handle special cookie names like '__proto__'. An attacker can exploit this by sending a specially crafted cookie with a name such as '__proto__' and a malicious value, which overrides the prototype of cookie objects. This manipulation can lead to unintended behavior by injecting properties into the prototype chain of cookie objects."}, {'type': 'paragraph', 'content': "The vulnerability was patched in version 1.4.27 by changing the internal cookie storage objects to be created without a prototype (using Object.create(null)) and by explicitly ignoring dangerous cookie keys like '__proto__', 'constructor', and 'prototype' during cookie parsing."}] [1, 2]
How can this vulnerability impact me? :
This vulnerability allows an attacker to remotely manipulate cookie objects by injecting properties into their prototype chain without any authentication or user interaction. The impact includes limited confidentiality and integrity risks, as attackers can alter cookie values or potentially influence application behavior relying on cookies.
- Attack Vector: Network (remote exploitation possible)
- Attack Complexity: Low (no special conditions required)
- Privileges Required: null (no authentication needed)
- User Interaction: null (no user action required)
- Confidentiality Impact: Low (limited data exposure)
- Integrity Impact: Low (limited data modification)
- Availability Impact: null (no denial of service)
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for HTTP requests that include specially crafted cookies with names such as `__proto__`, `constructor`, or `prototype`. These cookies attempt to exploit prototype pollution by injecting malicious values into the cookie object prototype.'}, {'type': 'paragraph', 'content': 'To detect such attempts on your system or network, you can inspect incoming HTTP headers for suspicious cookie names.'}, {'type': 'list_item', 'content': 'Use command-line tools like `tcpdump` or `Wireshark` to capture HTTP traffic and filter for cookies containing `__proto__` or similar keys.'}, {'type': 'list_item', 'content': 'Example command to capture HTTP traffic and filter for suspicious cookies using `tcpdump`:'}, {'type': 'list_item', 'content': "tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '__proto__'"}, {'type': 'list_item', 'content': 'Alternatively, use web server logs or application logs to search for cookie headers containing `__proto__` or other prototype pollution keys.'}, {'type': 'paragraph', 'content': 'Additionally, reviewing application code or runtime behavior for unexpected prototype modifications in cookie objects can help detect exploitation attempts.'}] [1, 2]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade the Elysia framework to version 1.4.27 or later, where the vulnerability is patched.
- Upgrade the elysia package to version 1.4.27 or newer.
If upgrading immediately is not possible, apply the following workarounds:
- Enforce strict cookie value validation using t.Cookie validation to prevent invalid or malicious cookie values.
- Prevent iteration over cookie objects to avoid prototype pollution risks.
The patch in version 1.4.27 modifies cookie parsing to ignore special keys like `__proto__`, `constructor`, and `prototype`, and uses `Object.create(null)` for cookie storage objects to eliminate prototype pollution vectors.