CVE-2026-30837 Elysiajs — Exploit & Vulnerability Details HIGH

CVE-2026-30837

HIGH CVSS 3.1: 7.5 EPSS 0.03%

Parameter	Value
CVSS	7.5 (HIGH)
Affected Versions	before 1.4.26
Fixed In	1.4.26
Type	CWE-1333 (Inefficient Regular Expression Complexity / ReDoS)
Vendor	Elysiajs
Public PoC	No

Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation and client-server communication. Prior to 1.4.26 , t.String({ format: 'url' }) is vulnerable to ReDoS. Repeating a partial url format (protocol and hostname) multiple times cause regex to slow down significantly.

This vulnerability is fixed in 1.4.26.

Attack Parameters

Attack Vector

Network

Can be exploited remotely

Attack Complexity

Low

Easy to exploit

Privileges Required

None

No privileges needed

User Interaction

None

No user interaction needed

Impact Assessment

Confidentiality

None

No data leak

Integrity

None

No data modification

Availability

High

Complete denial of service

CVSS Vector v3.1

Weakness Type (CWE)

CWE-1333 Inefficient Regular Expression Complexity / ReDoS

Vulnerable Products 1

Configuration	From (including)	Up to (excluding)
Elysiajs Elysia cpe:2.3:a:elysiajs:elysia::::::node.js::*	—	`1.4.26`

References 2

https://github.com/EdamAme-x/elysia-poc-redos

security-advisories@github.com

https://github.com/elysiajs/elysia/security/advisories/GHSA-f45g-68q3-5w8x

security-advisories@github.com

Share Post Share Share Share

Related Vulnerabilities

CVE-2026-31865

Elysiajs

5.3

Menu

CVE-2026-30837

Attack Parameters

Impact Assessment

CVSS Vector v3.1

Weakness Type (CWE)

Vulnerable Products 1

References 2

Related Vulnerabilities

CVE-2026-31865

CVE Details

Editor's Choice

Menu

CVE-2026-30837

Attack Parameters

Impact Assessment

CVSS Vector v3.1

Weakness Type (CWE)

Vulnerable Products 1

References 2

Related Vulnerabilities

CVE-2026-31865

CVE Details

Editor's Choice

Stay informed on cybersecurity