CVE-2026-30837

HighPublic PoC

Published: 10 March 2026

Published

10 March 2026

Modified

20 March 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0003 7.5th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-30837 is a high-severity Inefficient Regular Expression Complexity (CWE-1333) vulnerability in Elysiajs Elysia. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 7.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004).

Threat & Defense Details

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

ReDoS in public-facing URL validator directly enables application exploitation to exhaust CPU/resources and deny service (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation and client-server communication. Prior to 1.4.26 , t.String({ format: 'url' }) is vulnerable to ReDoS. Repeating a partial url format (protocol and hostname) multiple times cause regex to…

slow down significantly. This vulnerability is fixed in 1.4.26.

Deeper analysisAI

CVE-2026-30837, published on 2026-03-10, affects Elysia, a TypeScript framework used for request validation, type inference, OpenAPI documentation, and client-server communication. Prior to version 1.4.26, the t.String({ format: 'url' }) validator is vulnerable to Regular Expression Denial of Service (ReDoS), classified under CWE-1333. By repeating a partial URL format—such as the protocol and hostname—multiple times in input, the underlying regex engine experiences significant slowdowns. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high availability impact with no confidentiality or integrity effects.

Remote attackers can exploit this vulnerability without authentication, privileges, or user interaction by submitting crafted HTTP requests to endpoints that employ the vulnerable URL format validator. Exploitation triggers excessive CPU usage in the regex matching process, leading to degraded performance or complete denial of service on affected servers handling such inputs.

The issue is addressed in Elysia version 1.4.26, which includes a fix for the ReDoS vulnerability. Security advisories recommend upgrading to this version or later. Further details, including a proof-of-concept exploit, are provided in the Elysia GitHub security advisory at GHSA-f45g-68q3-5w8x and a dedicated POC repository at elysia-poc-redos.

Details

CWE(s): CWE-1333

Affected Products

elysiajs

elysia

≤ 1.4.26

CVEs Like This One

CVE-2025-66456Same product: Elysiajs Elysia

CVE-2025-70030Shared CWE-1333

CVE-2026-28356Shared CWE-1333

CVE-2026-22178Shared CWE-1333

CVE-2026-1388Shared CWE-1333

CVE-2026-23897Shared CWE-1333

CVE-2026-4867Shared CWE-1333

CVE-2026-35213Shared CWE-1333

CVE-2026-23956Shared CWE-1333

CVE-2026-27904Shared CWE-1333

References

https://github.com/EdamAme-x/elysia-poc-redos
Exploit · security-advisories@github.com
https://github.com/elysiajs/elysia/security/advisories/GHSA-f45g-68q3-5w8x
Mitigation, Vendor Advisory · security-advisories@github.com