CVE-2025-66456

Name of the Vulnerable Software and Affected Versions Elysia versions 1.4.0 through 1.4.16

Description Elysia is a Typescript framework used for request validation, type inference, OpenAPI documentation, and client-server communication. The mergeDeep function is susceptible to a prototype pollution issue when merging results from two standard schema validations sharing the same key. This occurs due to the order of merging, requiring an 'any' type set as a standalone guard to allow merging of the proto property. Combined with GHSA-8vch-m3f4-q8jf, this can lead to remote code execution (RCE). The vulnerable component is the mergeDeep function. The proto property is involved in the exploitation.

Recommendations Update to Elysia version 1.4.17 or higher. As a workaround, remove the proto key from the request body.