GHSA-F45G-68Q3-5W8X

Vulnerability from github – Published: 2026-03-10 21:04 – Updated: 2026-03-10 22:55
VLAI?
Summary
Elysia has a string URL format ReDoS
Details

Impact

t.String({ format: 'url' }) is vulnerable to redos

Repeating a partial url format (protocol and hostname) multiple times cause regex to slow down significantly

'http://a'.repeat(n)

Here's a table demonstrating how long it takes to process repeated partial url format | n repeat | elapsed_ms | | --- | --- | | 1024 | 33.993 | | 2048 | 134.357 | | 4096 | 537.608 | | 8192 | 2155.842 | | 16384 | 8618.457 | | 32768 | 34604.139 |

Patches

Patched by 1.4.26, please kindly update elysia to >= 1.4.26

Here's how long it takes after the patch | n repeat | elapsed_ms | | --- | --- | | 1024 | 0.194 | | 2048 | 0.274 | | 4096 | 0.455 | | 8192 | 0.831 | | 16384 | 1.632 | | 32768 | 3.052 |

Workarounds

  1. It's recommended to always limit URL format to a reasonable length
t.String({
    format: 'url',
    maxLength: 288
})
  1. If a long URL format is necessary, to patch this without updating to 1.4.26, add the following code to any part of your codebase
import { FormatRegistry } from '@sinclair/typebox'

FormatRegistry.Delete('url')
FormatRegistry.Set('url', (value) =>
    /^(?:https?|ftp):\/\/(?:[^\s:@]+(?::[^\s@]*)?@)?(?:(?!(?:10|127)(?:\.\d{1,3}){3})(?!(?:169\.254|192\.168)(?:\.\d{1,3}){2})(?!172\.(?:1[6-9]|2\d|3[0-1])(?:\.\d{1,3}){2})(?:[1-9]\d?|1\d\d|2[01]\d|22[0-3])(?:\.(?:1?\d{1,2}|2[0-4]\d|25[0-5])){2}(?:\.(?:[1-9]\d?|1\d\d|2[0-4]\d|25[0-4]))|(?:(?:[a-z0-9\u{00a1}-\u{ffff}]+-)*[a-z0-9\u{00a1}-\u{ffff}]+)(?:\.(?:[a-z0-9\u{00a1}-\u{ffff}]+-)*[a-z0-9\u{00a1}-\u{ffff}]+)*(?:\.(?:[a-z\u{00a1}-\u{ffff}]{2,})))(?::\d{2,5})?(?:\/[^\s]*)?$/iu.test(
        value
    )
)
Severity ?
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "elysia"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.4.26"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-30837"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-10T21:04:25Z",
    "nvd_published_at": "2026-03-10T21:16:47Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n`t.String({ format: \u0027url\u0027 })` is vulnerable to redos\n\nRepeating a partial url format (protocol and hostname) multiple times cause regex to slow down significantly\n```js\n\u0027http://a\u0027.repeat(n)\n```\n\nHere\u0027s a table demonstrating how long it takes to process repeated partial url format\n| `n` repeat | elapsed_ms |\n| --- | --- |\n| 1024 | 33.993 |\n| 2048 | 134.357 |\n| 4096 | 537.608 |\n| 8192 | 2155.842 |\n| 16384 | 8618.457 |\n| 32768 | 34604.139 |\n\n### Patches\nPatched by 1.4.26, please kindly update `elysia` to \u003e= 1.4.26 \n\nHere\u0027s how long it takes after the patch\n| `n` repeat | elapsed_ms |\n| --- | --- |\n| 1024 | 0.194 |\n| 2048 | 0.274 |\n| 4096 | 0.455 |\n| 8192 | 0.831 |\n| 16384 | 1.632 |\n| 32768 | 3.052 |\n\n### Workarounds\n1. It\u0027s recommended to always limit URL format to a reasonable length\n```ts\nt.String({\n\tformat: \u0027url\u0027,\n\tmaxLength: 288\n})\n```\n\n2. If a long URL format is necessary, to patch this without updating to 1.4.26, add the following code to any part of your codebase\n```js\nimport { FormatRegistry } from \u0027@sinclair/typebox\u0027\n\nFormatRegistry.Delete(\u0027url\u0027)\nFormatRegistry.Set(\u0027url\u0027, (value) =\u003e\n\t/^(?:https?|ftp):\\/\\/(?:[^\\s:@]+(?::[^\\s@]*)?@)?(?:(?!(?:10|127)(?:\\.\\d{1,3}){3})(?!(?:169\\.254|192\\.168)(?:\\.\\d{1,3}){2})(?!172\\.(?:1[6-9]|2\\d|3[0-1])(?:\\.\\d{1,3}){2})(?:[1-9]\\d?|1\\d\\d|2[01]\\d|22[0-3])(?:\\.(?:1?\\d{1,2}|2[0-4]\\d|25[0-5])){2}(?:\\.(?:[1-9]\\d?|1\\d\\d|2[0-4]\\d|25[0-4]))|(?:(?:[a-z0-9\\u{00a1}-\\u{ffff}]+-)*[a-z0-9\\u{00a1}-\\u{ffff}]+)(?:\\.(?:[a-z0-9\\u{00a1}-\\u{ffff}]+-)*[a-z0-9\\u{00a1}-\\u{ffff}]+)*(?:\\.(?:[a-z\\u{00a1}-\\u{ffff}]{2,})))(?::\\d{2,5})?(?:\\/[^\\s]*)?$/iu.test(\n\t\tvalue\n\t)\n)\n```",
  "id": "GHSA-f45g-68q3-5w8x",
  "modified": "2026-03-10T22:55:50Z",
  "published": "2026-03-10T21:04:25Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/elysiajs/elysia/security/advisories/GHSA-f45g-68q3-5w8x"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30837"
    },
    {
      "type": "WEB",
      "url": "https://github.com/EdamAme-x/elysia-poc-redos"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/elysiajs/elysia"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Elysia has a string URL format ReDoS"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.