CVE-2026-30837: Elysia has a string URL format ReDoS

March 10, 2026

t.String({ format: 'url' }) is vulnerable to redos

Repeating a partial url format (protocol and hostname) multiple times cause regex to slow down significantly

'http://a'.repeat(n)

Here’s a table demonstrating how long it takes to process repeated partial url format

`n` repeat	elapsed_ms
1024	33.993
2048	134.357
4096	537.608
8192	2155.842
16384	8618.457
32768	34604.139

References

github.com/EdamAme-x/elysia-poc-redos
github.com/advisories/GHSA-f45g-68q3-5w8x
github.com/elysiajs/elysia
github.com/elysiajs/elysia/security/advisories/GHSA-f45g-68q3-5w8x
nvd.nist.gov/vuln/detail/CVE-2026-30837

Code Behaviors & Features

Detect and mitigate CVE-2026-30837 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →