Advisories for Npm/Elysia package

Elysia cookie can be overridden by prototype pollution , eg. proto Sending cookie with the follows name can override cookie value: proto=%7B%22injected%22%3A%22polluted%22%7D

t.String({ format: 'url' }) is vulnerable to redos Repeating a partial url format (protocol and hostname) multiple times cause regex to slow down significantly 'http://a'.repeat(n) Here's a table demonstrating how long it takes to process repeated partial url format | n repeat | elapsed_ms | | — | — | | 1024 | 33.993 | | 2048 | 134.357 | | 4096 | 537.608 | | 8192 | 2155.842 | …

Prototype pollution vulnerability in mergeDeep after merging results of two standard schema validations with the same key. Due to the ordering of merging, there must be an any type that is set as a standalone guard, to allow for the proto prop to be merged. When combined with GHSA-8vch-m3f4-q8jf this allows for a full RCE by an attacker.

Arbitrary code execution from cookie config. If dynamic cookies are enabled (ie there exists a schema for cookies), the cookie config is injected into the compiled route without first being sanitised. Availability of this exploit is generally low, as it requires write access to either the Elysia app's source code (in which case the vulnerability is meaningless) or write access to the cookie config (perhaps where it is assumed to …