{"url":"http://public2.vulnerablecode.io/api/packages/72853?format=json","purl":"pkg:npm/elysia@1.4.17","type":"npm","namespace":"","name":"elysia","version":"1.4.17","qualifiers":{},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":"1.4.18","latest_non_vulnerable_version":"1.4.26","affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/49381?format=json","vulnerability_id":"VCID-4wjr-2u8x-dbdg","summary":"Elysia vulnerable to prototype pollution with multiple standalone schema validation\nPrototype pollution vulnerability in `mergeDeep` after merging results of two standard schema validations with the same key. Due to the ordering of merging, there must be an `any` type that is set as a `standalone` guard, to allow for the `__proto__` prop to be merged.\n\nWhen combined with GHSA-8vch-m3f4-q8jf this allows for a full RCE by an attacker.","references":[{"reference_url":"https://github.com/elysiajs/elysia","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/elysiajs/elysia"},{"reference_url":"https://github.com/elysiajs/elysia/commit/26935bf76ebc43b4a43d48b173fc853de43bb51e","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/elysiajs/elysia/commit/26935bf76ebc43b4a43d48b173fc853de43bb51e"},{"reference_url":"https://github.com/elysiajs/elysia/commit/3af978663e437dccc6c1a2a3aff4b74e1574849e","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/elysiajs/elysia/commit/3af978663e437dccc6c1a2a3aff4b74e1574849e"},{"reference_url":"https://github.com/elysiajs/elysia/pull/1564","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/elysiajs/elysia/pull/1564"},{"reference_url":"https://github.com/sportshead/elysia-poc","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/sportshead/elysia-poc"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-66456","reference_id":"CVE-2025-66456","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-66456"},{"reference_url":"https://github.com/elysiajs/elysia/security/advisories/GHSA-8vch-m3f4-q8jf","reference_id":"GHSA-8vch-m3f4-q8jf","reference_type":"","scores":[],"url":"https://github.com/elysiajs/elysia/security/advisories/GHSA-8vch-m3f4-q8jf"},{"reference_url":"https://github.com/advisories/GHSA-hxj9-33pp-j2cc","reference_id":"GHSA-hxj9-33pp-j2cc","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-hxj9-33pp-j2cc"},{"reference_url":"https://github.com/elysiajs/elysia/security/advisories/GHSA-hxj9-33pp-j2cc","reference_id":"GHSA-hxj9-33pp-j2cc","reference_type":"","scores":[],"url":"https://github.com/elysiajs/elysia/security/advisories/GHSA-hxj9-33pp-j2cc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/72853?format=json","purl":"pkg:npm/elysia@1.4.17","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/elysia@1.4.17"}],"aliases":["CVE-2025-66456","GHSA-hxj9-33pp-j2cc"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4wjr-2u8x-dbdg"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/elysia@1.4.17"}