CVE-2026-30837: CVE-2026-30837: Regular Expression Denial of Service in Elysia Framework URL Validation
CVSS Score: 7.5 Published: 2026-03-10 Full Report: https://cvereports.com/reports/CVE-2026-30837
A critical Regular Expression Denial of Service (ReDoS) vulnerability in the Elysia TypeScript framework allows unauthenticated remote attackers to cause severe CPU exhaustion. The flaw exists in the TypeBox-backed URL validation schema, affecting all versions prior to 1.4.26.
Unauthenticated remote attackers can cause a Denial of Service (DoS) by sending crafted strings to endpoints utilizing Elysia's t.String({ format: 'url' }) schema validation.
- CWE ID: CWE-1333
- Attack Vector: Network
- CVSS v3.1 Score: 7.5 (High)
- Impact: Denial of Service (Availability: High)
- Exploit Status: Proof-of-Concept Available
- Affected Component: t.String({ format: 'url' })
- Elysia Framework
- Node.js/Bun environments running Elysia schemas
- elysia: < 1.4.26 (Fixed in:
1.4.26)
- Upgrade Elysia framework to version 1.4.26 or later.
- Enforce maximum length limits (maxLength) on all URL string schema definitions.
- Manually override the 'url' pattern in the TypeBox FormatRegistry.
Remediation Steps:
- Audit package.json and lockfiles to identify the current Elysia version.
- Run package manager update commands (e.g., npm update elysia) to pull version 1.4.26.
- Verify the installed dependency tree ensures no transitive dependencies rely on vulnerable Elysia versions.
- Restart the application server to apply the updated FormatRegistry patterns.
- If patching is not viable, deploy the FormatRegistry manual override within the application initialization phase.
Generated by CVEReports - Automated Vulnerability Intelligence