Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Remote, low-complexity, unauthenticated request to any multipart endpoint triggers CPU exhaustion; impact is availability-only with no confidentiality or integrity effect.
Primary rating from Vendor (github).
CVSS VectorVendor: github
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionCVE.org
Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation, and client-server communication. Prior to 1.4.29, Elysia uses getAll in form data normalization for multipart/form-data endpoints, causing the amount of work to grow quadratically with the number of unique key-value pairs and allowing CPU exhaustion. This issue is fixed in version 1.4.29.
AnalysisAI
Denial of service in the Elysia TypeScript web framework (versions prior to 1.4.29) lets remote unauthenticated attackers exhaust server CPU by submitting multipart/form-data requests containing many unique key-value pairs. Elysia's form-data normalization uses getAll in a way that scales quadratically with the number of fields, so a single crafted request can consume disproportionate processing time and stall the event loop. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the target Elysia application (version < 1.4.29) to expose at least one endpoint that parses multipart/form-data request bodies; the attacker then sends such a request containing a large number of unique key-value pairs to trigger the O(n²) normalization. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, base 7.5) is internally consistent with the description: network-reachable, low-complexity, no authentication or user interaction, and impact limited to availability only. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker identifies an Elysia application (below 1.4.29) exposing an endpoint that accepts multipart/form-data and sends a single request packed with a large number of unique field names. The quadratic normalization pins a CPU core and blocks the event loop, and repeating the request keeps the service unresponsive to legitimate users. … |
| Remediation | Vendor-released patch: upgrade to Elysia 1.4.29, which replaces the quadratic getAll-based form-data normalization (fix commit https://github.com/elysiajs/elysia/commit/8358ff9efbcedf9534995f5977f26b9ceab59329, released at https://github.com/elysiajs/elysia/releases/tag/1.4.29). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify and inventory all applications using Elysia; determine versions and production deployments. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-407 – Inefficient Algorithmic Complexity
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42394