CVE-2026-30837

Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation and client-server communication. Prior to 1.4.26 , t.String({ format: 'url' }) is vulnerable to ReDoS. Repeating a partial url format (protocol and hostname) multiple times cause regex to slow down significantly. This vulnerability is fixed in 1.4.26.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/EdamAme-x/elysia-poc-redos	Exploit
https://github.com/elysiajs/elysia/security/advisories/GHSA-f45g-68q3-5w8x	Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:elysiajs:elysia:*:*:*:*:*:node.js:*:*

History

No history.

Information

Published : 2026-03-10 21:16

Updated : 2026-03-20 15:23

NVD link : CVE-2026-30837

Mitre link : CVE-2026-30837

CVE.ORG link : CVE-2026-30837

JSON object : View

Products Affected

elysiajs

elysia

CWE

CWE-1333

Inefficient Regular Expression Complexity

7.5 /10