PT-2026-24625 · Npm · Elysia
Published
2026-03-10
·
Updated
2026-03-10
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Impact
t.String({ format: 'url' }) is vulnerable to redosRepeating a partial url format (protocol and hostname) multiple times cause regex to slow down significantly
'http://a'.repeat(n)Here's a table demonstrating how long it takes to process repeated partial url format
n repeat | elapsed ms |
|---|---|
| 1024 | 33.993 |
| 2048 | 134.357 |
| 4096 | 537.608 |
| 8192 | 2155.842 |
| 16384 | 8618.457 |
| 32768 | 34604.139 |
Patches
Patched by 1.4.26, please kindly update
elysia to >= 1.4.26Here's how long it takes after the patch
n repeat | elapsed ms |
|---|---|
| 1024 | 0.194 |
| 2048 | 0.274 |
| 4096 | 0.455 |
| 8192 | 0.831 |
| 16384 | 1.632 |
| 32768 | 3.052 |
Workarounds
- It's recommended to always limit URL format to a reasonable length
t.String({
format: 'url',
maxLength: 288
})- If a long URL format is necessary, to patch this without updating to 1.4.26, add the following code to any part of your codebase
import { FormatRegistry } from '@sinclair/typebox'
FormatRegistry.Delete('url')
FormatRegistry.Set('url', (value) =>
/^(?:https?|ftp)://(?:[^s:@]+(?::[^s@]*)?@)?(?:(?!(?:10|127)(?:.d{1,3}){3})(?!(?:169.254|192.168)(?:.d{1,3}){2})(?!172.(?:1[6-9]|2d|3[0-1])(?:.d{1,3}){2})(?:[1-9]d?|1dd|2[01]d|22[0-3])(?:.(?:1?d{1,2}|2[0-4]d|25[0-5])){2}(?:.(?:[1-9]d?|1dd|2[0-4]d|25[0-4]))|(?:(?:[a-z0-9u{00a1}-u{ffff}]+-)*[a-z0-9u{00a1}-u{ffff}]+)(?:.(?:[a-z0-9u{00a1}-u{ffff}]+-)*[a-z0-9u{00a1}-u{ffff}]+)*(?:.(?:[a-zu{00a1}-u{ffff}]{2,})))(?::d{2,5})?(?:/[^s]*)?$/iu.test(
value
)
)Exploit
Fix
DoS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Elysia