Sportshead

**Name of the Vulnerable Software and Affected Versions** Elysia versions 1.4.0 through 1.4.16 **Description** Elysia is a Typescript framework used for request validation, type inference, OpenAPI documentation, and client-server communication. The `mergeDeep` function is susceptible to a prototype pollution issue when merging results from two standard schema validations sharing the same key. This occurs due to the order of merging, requiring an 'any' type set as a standalone guard to allow merging of the ` proto ` property. Combined with GHSA-8vch-m3f4-q8jf, this can lead to remote code execution (RCE). The vulnerable component is the `mergeDeep` function. The ` proto ` property is involved in the exploitation. **Recommendations** Update to Elysia version 1.4.17 or higher. As a workaround, remove the ` proto ` key from the request body.

**Name of the Vulnerable Software and Affected Versions** Elysia versions 1.4.17 and below **Description** Elysia is a Typescript framework used for request validation, type inference, OpenAPI documentation, and client-server communication. Versions 1.4.17 and below are susceptible to arbitrary code execution originating from cookie configurations. When dynamic cookies are enabled, the cookie configuration is integrated into the compiled route without proper sanitization. The exploit's availability is generally limited, but when combined with GHSA-hxj9-33pp-j2cc, it can lead to a complete remote code execution chain. Successful exploitation requires write access to either the Elysia application's source code or the cookie configuration. **Recommendations** Update to version 1.4.18 or later.