EUVD-2026-12749
GHSA-8hq9-phh3-p2wp
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
4Description
### Impact Elysia cookie can be overridden by prototype pollution , eg. `__proto__` Sending cookie with the follows name can override cookie value: ```bash __proto__=%7B%22injected%22%3A%22polluted%22%7D ``` ### Patches Patched by 1.4.27 ### Workarounds 1. Use t.Cookie validation to enforce validation value 2. Prevent iterable over cookie if possible
Analysis
Elysia (npm package, versions prior to 1.4.27) is vulnerable to prototype pollution through maliciously crafted cookie names, allowing unauthenticated attackers to override application cookie values and potentially inject arbitrary data into the application's object prototype. With a CVSS score of 6.5 and network-accessible attack vector requiring no privileges or user interaction, attackers can manipulate cookie handling to gain limited information disclosure and integrity compromise. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Vendor patch is available.
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today