CVE-2026-31865

Name of the Vulnerable Software and Affected Versions Elysia versions prior to 1.4.27

Description Elysia is a Typescript framework used for request validation, type inference, OpenAPI documentation, and client-server communication. A prototype pollution issue exists in Elysia where a cookie can be overridden, specifically using the proto property. Sending a cookie with the name proto can override cookie values. This issue is addressed in version 1.4.27.

Recommendations Versions prior to 1.4.27 should be updated to version 1.4.27 or later. As a workaround, use t.Cookie validation to enforce validation of cookie values and/or prevent iteration over cookies if possible.