Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/72853?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/72853?format=api", "purl": "pkg:npm/elysia@1.4.17", "type": "npm", "namespace": "", "name": "elysia", "version": "1.4.17", "qualifiers": {}, "subpath": "", "is_vulnerable": false, "next_non_vulnerable_version": "1.4.17", "latest_non_vulnerable_version": "1.4.26", "affected_by_vulnerabilities": [], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49381?format=api", "vulnerability_id": "VCID-4wjr-2u8x-dbdg", "summary": "Elysia vulnerable to prototype pollution with multiple standalone schema validation\nPrototype pollution vulnerability in `mergeDeep` after merging results of two standard schema validations with the same key. Due to the ordering of merging, there must be an `any` type that is set as a `standalone` guard, to allow for the `__proto__` prop to be merged.\n\nWhen combined with GHSA-8vch-m3f4-q8jf this allows for a full RCE by an attacker.", "references": [ { "reference_url": "https://github.com/elysiajs/elysia", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/elysiajs/elysia" }, { "reference_url": "https://github.com/elysiajs/elysia/commit/26935bf76ebc43b4a43d48b173fc853de43bb51e", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/elysiajs/elysia/commit/26935bf76ebc43b4a43d48b173fc853de43bb51e" }, { "reference_url": "https://github.com/elysiajs/elysia/commit/3af978663e437dccc6c1a2a3aff4b74e1574849e", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/elysiajs/elysia/commit/3af978663e437dccc6c1a2a3aff4b74e1574849e" }, { "reference_url": "https://github.com/elysiajs/elysia/pull/1564", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/elysiajs/elysia/pull/1564" }, { "reference_url": "https://github.com/sportshead/elysia-poc", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/sportshead/elysia-poc" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66456", "reference_id": "CVE-2025-66456", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66456" }, { "reference_url": "https://github.com/elysiajs/elysia/security/advisories/GHSA-8vch-m3f4-q8jf", "reference_id": "GHSA-8vch-m3f4-q8jf", "reference_type": "", "scores": [], "url": "https://github.com/elysiajs/elysia/security/advisories/GHSA-8vch-m3f4-q8jf" }, { "reference_url": "https://github.com/advisories/GHSA-hxj9-33pp-j2cc", "reference_id": "GHSA-hxj9-33pp-j2cc", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-hxj9-33pp-j2cc" }, { "reference_url": "https://github.com/elysiajs/elysia/security/advisories/GHSA-hxj9-33pp-j2cc", "reference_id": "GHSA-hxj9-33pp-j2cc", "reference_type": "", "scores": [], "url": "https://github.com/elysiajs/elysia/security/advisories/GHSA-hxj9-33pp-j2cc" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/72853?format=api", "purl": "pkg:npm/elysia@1.4.17", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/elysia@1.4.17" } ], "aliases": [ "CVE-2025-66456", "GHSA-hxj9-33pp-j2cc" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-4wjr-2u8x-dbdg" } ], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/elysia@1.4.17" }