Skip to main content

Elysia EUVDEUVD-2026-42394

| CVE-2026-56669 HIGH
Inefficient Algorithmic Complexity (CWE-407)
2026-07-08 security-advisories@github.com
7.5
CVSS 3.1 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Remote, low-complexity, unauthenticated request to any multipart endpoint triggers CPU exhaustion; impact is availability-only with no confidentiality or integrity effect.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (github).

CVSS VectorVendor: github

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Patch available
Jul 08, 2026 - 22:04 EUVD
Analysis Generated
Jul 08, 2026 - 21:42 vuln.today

DescriptionCVE.org

Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation, and client-server communication. Prior to 1.4.29, Elysia uses getAll in form data normalization for multipart/form-data endpoints, causing the amount of work to grow quadratically with the number of unique key-value pairs and allowing CPU exhaustion. This issue is fixed in version 1.4.29.

AnalysisAI

Denial of service in the Elysia TypeScript web framework (versions prior to 1.4.29) lets remote unauthenticated attackers exhaust server CPU by submitting multipart/form-data requests containing many unique key-value pairs. Elysia's form-data normalization uses getAll in a way that scales quadratically with the number of fields, so a single crafted request can consume disproportionate processing time and stall the event loop. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify reachable multipart/form-data endpoint
Delivery
Craft request with many unique fields
Exploit
Trigger quadratic getAll normalization
Execution
Exhaust CPU and block event loop
Impact
Repeat to sustain denial of service

Vulnerability AssessmentAI

Exploitation Exploitation requires the target Elysia application (version < 1.4.29) to expose at least one endpoint that parses multipart/form-data request bodies; the attacker then sends such a request containing a large number of unique key-value pairs to trigger the O(n²) normalization. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, base 7.5) is internally consistent with the description: network-reachable, low-complexity, no authentication or user interaction, and impact limited to availability only. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker identifies an Elysia application (below 1.4.29) exposing an endpoint that accepts multipart/form-data and sends a single request packed with a large number of unique field names. The quadratic normalization pins a CPU core and blocks the event loop, and repeating the request keeps the service unresponsive to legitimate users. …
Remediation Vendor-released patch: upgrade to Elysia 1.4.29, which replaces the quadratic getAll-based form-data normalization (fix commit https://github.com/elysiajs/elysia/commit/8358ff9efbcedf9534995f5977f26b9ceab59329, released at https://github.com/elysiajs/elysia/releases/tag/1.4.29). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify and inventory all applications using Elysia; determine versions and production deployments. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-42394 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy