Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation, and client-server communication. Prior to version 1.4.27, an Elysia cookie can be overridden by prototype pollution , eg. __proto__. This issue is patched in 1.4.27. As a workaround, use t.Cookie validation to enforce validation value and/or prevent iterable over cookie if possible.
Weakness
The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
Potential Mitigations
Related Attack Patterns
- https://cwe.mitre.org/data/definitions/1.html
- https://cwe.mitre.org/data/definitions/180.html
- https://cwe.mitre.org/data/definitions/77.html