{"id":"CVE-2026-30837","summary":"Elysia has a string URL format redos","details":"Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation and client-server communication. Prior to 1.4.26 , t.String({ format: 'url' }) is vulnerable to ReDoS. Repeating a partial url format (protocol and hostname) multiple times cause regex to slow down significantly. This vulnerability is fixed in 1.4.26.","aliases":["GHSA-f45g-68q3-5w8x"],"modified":"2026-04-10T05:41:54.403117Z","published":"2026-03-10T20:12:14.627Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/30xxx/CVE-2026-30837.json","cwe_ids":["CWE-1333"],"cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/30xxx/CVE-2026-30837.json"},{"type":"ADVISORY","url":"https://github.com/elysiajs/elysia/security/advisories/GHSA-f45g-68q3-5w8x"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-30837"},{"type":"PACKAGE","url":"https://github.com/EdamAme-x/elysia-poc-redos"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/elysiajs/elysia","events":[{"introduced":"0"},{"fixed":"bbaf6b7f729b858a7435bf28b97119112177479e"}]}],"versions":["0.0.0-experimental.28","0.0.0-experimental.29","0.0.0-experimental.37","0.0.0-experimental.39","0.0.0-experimental.51","0.1","0.2.0","0.3","0.4","0.7","0.8.0-exp.10","1.1.12","1.1.13","1.2.1","1.2.10","1.2.11","1.2.12","1.2.13","1.2.14","1.2.15","1.2.16","1.2.17","1.2.18","1.2.19","1.2.2","1.2.20","1.2.21","1.2.22","1.2.23","1.2.24","1.2.25","1.2.3","1.2.4","1.2.5","1.2.6","1.2.7","1.2.8","1.2.9","1.3.0","1.3.1","1.3.10","1.3.11","1.3.12","1.3.2","1.3.3","1.3.4","1.3.5","1.3.6","1.3.7","1.3.8","1.3.9","1.4.1","1.4.10","1.4.11","1.4.12","1.4.13","1.4.14","1.4.15","1.4.16","1.4.17","1.4.18","1.4.19","1.4.2","1.4.20","1.4.21","1.4.22","1.4.23","1.4.24","1.4.25","1.4.3","1.4.4","1.4.5","1.4.6","1.4.8","1.4.9","v0.4.12","v0.5.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-30837.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}