Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2025-66456
Summary
Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation and client-server communication. Versions from 1.4.0 through 1.4.16 contain a Prototype Pollution vulnerability in "mergeDeep()" after merging results of two standard schema validations with the same key. Due to the ordering of merging, there must be an any type that is set as a standalone guard, to allow for the "__proto__ prop" to be merged. When combined with "GHSA-8vch-m3f4-q8jf" this allows for a full Remote Code Execution (RCE) by an attacker. To workaround, remove the "__proto__ key" from body.
- LOW
- NETWORK
- HIGH
- UNCHANGED
- NONE
- NONE
- HIGH
- HIGH
CWE-1321 - Prototype Pollution
Prototype pollution is one of the lesser-known vulnerabilities. It allows attackers to abuse the rules of JavaScript by injecting properties into the general object “Object” in JS. Modifying the prototype of “Object” affects the behavior of all objects in the entire app, potentially resulting in denial of service, arbitrary code execution, cross-site scripting, etc.
References
Advisory Timeline
- Published
