{"id":"CVE-2025-66456","summary":"Elysia vulnerable to prototype pollution with multiple standalone schema validation","details":"Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation and client-server communication. Versions 1.4.0 through 1.4.16 contain a prototype pollution vulnerability in `mergeDeep` after merging results of two standard schema validations with the same key. Due to the ordering of merging, there must be an any type that is set as a standalone guard, to allow for the `__proto__ prop` to be merged. When combined with GHSA-8vch-m3f4-q8jf this allows for a full RCE by an attacker. This issue is fixed in version 1.4.17. To workaround, remove the `__proto__ key` from body.","aliases":["GHSA-hxj9-33pp-j2cc"],"modified":"2026-04-10T05:35:15.919806Z","published":"2025-12-09T19:43:10.252Z","related":["GHSA-8vch-m3f4-q8jf","GHSA-hxj9-33pp-j2cc"],"database_specific":{"cwe_ids":["CWE-1321"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/66xxx/CVE-2025-66456.json","cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/66xxx/CVE-2025-66456.json"},{"type":"ADVISORY","url":"https://github.com/elysiajs/elysia/security/advisories/GHSA-8vch-m3f4-q8jf"},{"type":"ADVISORY","url":"https://github.com/elysiajs/elysia/security/advisories/GHSA-hxj9-33pp-j2cc"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-66456"},{"type":"FIX","url":"https://github.com/elysiajs/elysia/commit/26935bf76ebc43b4a43d48b173fc853de43bb51e"},{"type":"FIX","url":"https://github.com/elysiajs/elysia/commit/3af978663e437dccc6c1a2a3aff4b74e1574849e"},{"type":"FIX","url":"https://github.com/elysiajs/elysia/pull/1564"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/elysiajs/elysia","events":[{"introduced":"9593648d4289e262035821179e73f16a3271dee9"},{"fixed":"428b9765af69739897b86c294563af8809dd40c3"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-66456.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"}]}