CVE-2025-66456
📋 TL;DR
This CVE describes a prototype pollution vulnerability in the Elysia TypeScript framework that, when combined with a separate advisory (GHSA-8vch-m3f4-q8jf), allows remote code execution (RCE). Attackers can exploit this by sending specially crafted requests containing '__proto__' keys to merge validation results, potentially taking full control of affected servers. All users running Elysia versions 1.4.0 through 1.4.16 are affected.
💻 Affected Systems
- Elysia TypeScript Framework
📦 What is this software?
Elysia by Elysiajs
⚠️ Risk & Real-World Impact
Worst Case
Full remote code execution leading to complete system compromise, data theft, and lateral movement within the network.
Likely Case
Server compromise allowing attackers to execute arbitrary code, steal sensitive data, and deploy malware or ransomware.
If Mitigated
Limited impact with proper input validation and security controls, potentially causing denial of service or limited data exposure.
🎯 Exploit Status
Exploitation requires combining with GHSA-8vch-m3f4-q8jf for full RCE. The vulnerability itself is prototype pollution that enables further exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.4.17
Vendor Advisory: https://github.com/elysiajs/elysia/security/advisories/GHSA-hxj9-33pp-j2cc
Restart Required: Yes
Instructions:
1. Update Elysia to version 1.4.17 or later using npm: 'npm update elysia' or 'npm install elysia@latest'. 2. Restart your application server. 3. Verify the update by checking package.json or running 'npm list elysia'.
🔧 Temporary Workarounds
Remove __proto__ key from request body
allFilter out '__proto__' keys from incoming request bodies before processing by Elysia validation.
// Middleware to strip __proto__ keys
app.use((ctx, next) => {
if (ctx.body && typeof ctx.body === 'object') {
delete ctx.body.__proto__;
}
return next();
});
🧯 If You Can't Patch
- Implement strict input validation middleware to reject requests containing '__proto__' keys.
- Deploy network-level protections such as WAF rules to block requests with '__proto__' in payloads.
🔍 How to Verify
Check if Vulnerable:
Check package.json or run 'npm list elysia' to see if version is between 1.4.0 and 1.4.16 inclusive.Check Version:
npm list elysia | grep elysiaVerify Fix Applied:
Confirm Elysia version is 1.4.17 or higher using 'npm list elysia' and test that requests with '__proto__' keys are properly rejected.📡 Detection & Monitoring
Log Indicators:
- Unusual request patterns with '__proto__' in payloads
- Unexpected process spawns or file system modifications
Network Indicators:
- HTTP requests containing '__proto__' keys in JSON/body payloads
- Unusual outbound connections from application servers
SIEM Query:
source="application_logs" AND ("__proto__" OR "prototype pollution")🔗 References
- https://github.com/elysiajs/elysia/commit/26935bf76ebc43b4a43d48b173fc853de43bb51e
- https://github.com/elysiajs/elysia/commit/3af978663e437dccc6c1a2a3aff4b74e1574849e
- https://github.com/elysiajs/elysia/pull/1564
- https://github.com/elysiajs/elysia/security/advisories/GHSA-8vch-m3f4-q8jf
- https://github.com/elysiajs/elysia/security/advisories/GHSA-hxj9-33pp-j2cc
- https://github.com/elysiajs/elysia/security/advisories/GHSA-8vch-m3f4-q8jf
- https://github.com/elysiajs/elysia/security/advisories/GHSA-hxj9-33pp-j2cc
