CVE-2026-31865: Elysia Cookie Value Prototype Pollution

March 17, 2026 (updated March 19, 2026)

Elysia cookie can be overridden by prototype pollution , eg. __proto__

Sending cookie with the follows name can override cookie value:

__proto__=%7B%22injected%22%3A%22polluted%22%7D

References

github.com/advisories/GHSA-8hq9-phh3-p2wp
github.com/elysiajs/elysia
github.com/elysiajs/elysia/commit/e9d6b1743fa7368ef942dce181f6a089757f6aab
github.com/elysiajs/elysia/security/advisories/GHSA-8hq9-phh3-p2wp
nvd.nist.gov/vuln/detail/CVE-2026-31865

Code Behaviors & Features

Detect and mitigate CVE-2026-31865 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →