DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-30837: CVE-2026-30837: Regular Expression Denial of Service in Elysia Framework URL Validation

#security #cve #cybersecurity

CVE-2026-30837: Regular Expression Denial of Service in Elysia Framework URL Validation

Vulnerability ID: CVE-2026-30837
CVSS Score: 7.5
Published: 2026-03-10

A critical Regular Expression Denial of Service (ReDoS) vulnerability in the Elysia TypeScript framework allows unauthenticated remote attackers to cause severe CPU exhaustion. The flaw exists in the TypeBox-backed URL validation schema, affecting all versions prior to 1.4.26.

TL;DR

Unauthenticated remote attackers can cause a Denial of Service (DoS) by sending crafted strings to endpoints utilizing Elysia's t.String({ format: 'url' }) schema validation.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-1333
  • Attack Vector: Network
  • CVSS v3.1 Score: 7.5 (High)
  • Impact: Denial of Service (Availability: High)
  • Exploit Status: Proof-of-Concept Available
  • Affected Component: t.String({ format: 'url' })

Affected Systems

  • Elysia Framework
  • Node.js/Bun environments running Elysia schemas
  • elysia: < 1.4.26 (Fixed in: 1.4.26)

Code Analysis

Commit: d17a7aa

Fix ReDoS in URL format validation by tightening character classes

Exploit Details

  • GitHub: Public Proof-of-Concept repository demonstrating the ReDoS payload against Elysia framework

Mitigation Strategies

  • Upgrade Elysia framework to version 1.4.26 or later.
  • Enforce maximum length limits (maxLength) on all URL string schema definitions.
  • Manually override the 'url' pattern in the TypeBox FormatRegistry.

Remediation Steps:

  1. Audit package.json and lockfiles to identify the current Elysia version.
  2. Run package manager update commands (e.g., npm update elysia) to pull version 1.4.26.
  3. Verify the installed dependency tree ensures no transitive dependencies rely on vulnerable Elysia versions.
  4. Restart the application server to apply the updated FormatRegistry patterns.
  5. If patching is not viable, deploy the FormatRegistry manual override within the application initialization phase.

Read the full report for CVE-2026-30837 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)