Skip to main content

Prototype Pollution EUVDEUVD-2026-12749

| CVE-2026-31865 MEDIUM
Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution) (CWE-1321)
2026-03-17 https://github.com/elysiajs/elysia GHSA-8hq9-phh3-p2wp
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
EUVD ID Assigned
Mar 17, 2026 - 20:30 euvd
EUVD-2026-12749
Analysis Generated
Mar 17, 2026 - 20:30 vuln.today
Patch released
Mar 17, 2026 - 20:30 nvd
Patch available
CVE Published
Mar 17, 2026 - 16:17 nvd
MEDIUM 6.5

DescriptionGitHub Advisory

Impact

Elysia cookie can be overridden by prototype pollution , eg. __proto__

Sending cookie with the follows name can override cookie value:

bash
__proto__=%7B%22injected%22%3A%22polluted%22%7D

Patches

Patched by 1.4.27

Workarounds

  1. Use t.Cookie validation to enforce validation value
  2. Prevent iterable over cookie if possible

AnalysisAI

Elysia (npm package, versions prior to 1.4.27) is vulnerable to prototype pollution through maliciously crafted cookie names, allowing unauthenticated attackers to override application cookie values and potentially inject arbitrary data into the application's object prototype. With a CVSS score of 6.5 and network-accessible attack vector requiring no privileges or user interaction, attackers can manipulate cookie handling to gain limited information disclosure and integrity compromise. A proof-of-concept exploit demonstrating the __proto__ injection vector exists in the GitHub advisory.

Technical ContextAI

Elysia is a popular Node.js web framework (CPE: pkg:npm/elysia) that handles HTTP cookie parsing and management. The vulnerability stems from CWE-1321 (Prototype Pollution), a class of code injection flaws where attacker-controlled input is merged into JavaScript objects without proper sanitization, allowing modification of the Object prototype itself. When Elysia processes incoming HTTP cookies, it fails to filter or validate special property names like __proto__, constructor, and prototype. An attacker sending a crafted cookie header with a name such as __proto__=%7B%22injected%22%3A%22polluted%22%7D (URL-encoded JSON) causes the cookie parsing logic to pollute the prototype chain, affecting all objects created subsequently in that application process. This is a server-side code injection vulnerability triggered through the HTTP Cookie header (CWE-1321 encompasses unsafe object merging patterns).

RemediationAI

Immediately upgrade Elysia to version 1.4.27 or later, which includes the patch committed at e9d6b1743fa7368ef942dce181f6a089757f6aab (visible in the GitHub advisory at https://github.com/elysiajs/elysia/security/advisories/GHSA-8hq9-phh3-p2wp). For applications unable to patch immediately, implement the following workarounds: (1) Apply strict validation to all cookie values using Elysia's t.Cookie validation schema to reject cookies with suspicious or unexpected structures, (2) minimize iteration over cookie objects in application code to reduce the window for prototype pollution exploitation, and (3) consider disabling or restricting cookie handling at the reverse proxy or WAF layer if feasible. Test patches in staging environments before production deployment to ensure compatibility with existing cookie-dependent application logic.

CVE-2026-34621 HIGH POC
8.6 Apr 11

Prototype pollution in Adobe Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier enables arbitrary code execu

CVE-2024-56059 CRITICAL
9.8 Dec 18

Prototype pollution in the farinspace Partners WordPress plugin (versions up to and including 0.2.0) enables remote unau

CVE-2020-28271 CRITICAL POC
9.8 Nov 12

Prototype pollution vulnerability in 'deephas' versions 1.0.0 through 1.0.5 allows attacker to cause a denial of service

CVE-2023-38894 CRITICAL POC
9.8 Aug 16

A Prototype Pollution issue in Cronvel Tree-kit v.0.7.4 and before allows a remote attacker to execute arbitrary code vi

CVE-2024-24292 CRITICAL POC
9.8 Mar 28

A Prototype Pollution issue in Aliconnect /sdk v.0.0.6 allows an attacker to execute arbitrary code via the aim function

CVE-2023-26121 CRITICAL POC
10.0 Apr 11

All versions of the package safe-eval are vulnerable to Prototype Pollution via the safeEval function, due to improper s

CVE-2021-23449 CRITICAL POC
10.0 Oct 18

This affects the package vm2 before 3.9.4 via a Prototype Pollution attack vector, which can lead to execution of arbitr

CVE-2024-39011 CRITICAL POC
9.8 Jul 30

Prototype Pollution in chargeover redoc v2.0.9-rc.69 allows attackers to execute arbitrary code or cause a Denial of Ser

CVE-2024-38988 CRITICAL POC
9.8 Mar 28

alizeait unflatto <= 1.0.2 was discovered to contain a prototype pollution via the method exports.unflatto at /dist/inde

CVE-2025-57347 CRITICAL POC
9.8 Sep 24

A vulnerability exists in the 'dagre-d3-es' Node.js package version 7.0.9, specifically within the 'bk' module's addConf

CVE-2025-57321 CRITICAL POC
9.8 Sep 24

A Prototype Pollution vulnerability in the util-deps.addFileDepend function of magix-combine-ex versions thru 1.2.10 all

CVE-2024-45435 CRITICAL POC
9.8 Aug 29

Chartist 1.x through 1.3.0 allows Prototype Pollution via the extend function. Rated critical severity (CVSS 9.8), this

Share

EUVD-2026-12749 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy