CVE-2026-30837 HIGH

CVE-2026-30837: Elysia has a string URL format redos

Vendor Elysiajs
Product elysia
Weakness CWE-1333
Published March 10, 2026
Last update March 11, 2026

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation and client-server communication. Prior to 1.4.26 , t.String({ format: 'url' }) is vulnerable to ReDoS. Repeating a partial url format (protocol and hostname) multiple times cause regex to slow down significantly. This vulnerability is fixed in 1.4.26.

Key dates

02Disclosure timeline

March 10, 2026 CVE published
March 11, 2026 Record updated