CVE-2026-30837 — HIGH (7.5)

Q: How severe is CVE-2026-30837?

CVE-2026-30837 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2026-30837?

Check the references section above for vendor advisories and patch information. Affected products include: Elysiajs Elysia.

Vulnerability Description

Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation and client-server communication. Prior to 1.4.26 , t.String({ format: 'url' }) is vulnerable to ReDoS. Repeating a partial url format (protocol and hostname) multiple times cause regex to slow down significantly. This vulnerability is fixed in 1.4.26.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Elysiajs	Elysia	< 1.4.26

Related Weaknesses (CWE)

CWE-1333

References

https://github.com/EdamAme-x/elysia-poc-redosExploit
https://github.com/elysiajs/elysia/security/advisories/GHSA-f45g-68q3-5w8xMitigationVendor Advisory

FAQ

What is CVE-2026-30837?

CVE-2026-30837 is a vulnerability with a CVSS score of 7.5 (HIGH). Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation and client-server communication. Prior to 1.4.26 , t.String({ format: 'url' }) is vulnerable to ReDoS. Re...

How severe is CVE-2026-30837?

CVE-2026-30837 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-30837?

Check the references section above for vendor advisories and patch information. Affected products include: Elysiajs Elysia.