CVE-2026-30837
HIGHElysia < 1.4.26 - Inefficient Regular Expression Complexity in URL Format Validation
Title source: llmDescription
Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation and client-server communication. Prior to 1.4.26 , t.String({ format: 'url' }) is vulnerable to ReDoS. Repeating a partial url format (protocol and hostname) multiple times cause regex to slow down significantly. This vulnerability is fixed in 1.4.26.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://github.com/elysiajs/elysia/security/advisories/GHSA-f45g-68q3-5w8x
Various Sources x_refsource_misc
https://github.com/EdamAme-x/elysia-poc-redos
Scores
CVSS v3
7.5
EPSS
0.0049
EPSS Percentile
38.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-1333
Status
published
Products (1)
elysiajs/elysia
< 1.4.26
Published
Mar 10, 2026
Tracked Since
Mar 11, 2026