CVE-2025-66456CRITICAL 9.8EPSS p37.2%

CVE-2025-66456CVE-2025-66456

Description

Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation and client-server communication. Versions 1.4.0 through 1.4.16 contain a prototype pollution vulnerability in `mergeDeep` after merging results of two standard schema validations with the same key. Due to the ordering of merging, there must be an any type that is set as a standalone guard, to allow for the `__proto__ prop` to be merged. When combined with GHSA-8vch-m3f4-q8jf this allows for a full RCE by an attacker. This issue is fixed in version 1.4.17. To workaround, remove the `__proto__ key` from body.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.47% probability of exploitation · percentile 37.2% · 2026-06-19T12:03:05Z
Published2025-12-09
Last modified2025-12-17

Underlying weaknesses· 1

CWE-1321

References

  1. https://github.com/elysiajs/elysia/commit/26935bf76ebc43b4a43d48b173fc853de43bb51e
  2. https://github.com/elysiajs/elysia/commit/3af978663e437dccc6c1a2a3aff4b74e1574849e
  3. https://github.com/elysiajs/elysia/pull/1564
  4. https://github.com/elysiajs/elysia/security/advisories/GHSA-8vch-m3f4-q8jf
  5. https://github.com/elysiajs/elysia/security/advisories/GHSA-hxj9-33pp-j2cc
  6. https://github.com/elysiajs/elysia/security/advisories/GHSA-8vch-m3f4-q8jf
  7. https://github.com/elysiajs/elysia/security/advisories/GHSA-hxj9-33pp-j2cc

1

TypeTargetConfidenceTier
WeaknessImproperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')cwe-13210%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-66457
CVE
CVE-2025-63704
CVE
CVE-2026-8657
CVE
CVE-2026-28794
CVE
CVE-2025-13465
CVE
CVE-2025-63703
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.