CVE-2026-56669
Received Received - Intake

Denial of Service in Elysia Framework

Vulnerability report for CVE-2026-56669, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitHub, Inc.

Description

Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation, and client-server communication. Prior to 1.4.29, Elysia uses getAll in form data normalization for multipart/form-data endpoints, causing the amount of work to grow quadratically with the number of unique key-value pairs and allowing CPU exhaustion. This issue is fixed in version 1.4.29.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
elysia elysia 1.4.29

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-407 An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.
CWE-436 Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the Elysia Typescript framework prior to version 1.4.29. It involves the use of the getAll method in form data normalization for multipart/form-data endpoints. The way getAll is used causes the amount of work to grow quadratically with the number of unique key-value pairs submitted, which can lead to excessive CPU usage and exhaustion.

Impact Analysis

The vulnerability can lead to CPU exhaustion on systems running vulnerable versions of the Elysia framework. This means that an attacker could potentially cause a denial of service by sending specially crafted multipart/form-data requests with many unique key-value pairs, overwhelming the server's processing capacity.

Mitigation Strategies

To mitigate this vulnerability, upgrade Elysia to version 1.4.29 or later, where the issue with getAll in form data normalization for multipart/form-data endpoints has been fixed.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56669. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart