EXECUTIVE SUMMARY:
The vulnerability CVE-2026-31865 is a prototype pollution issue identified in the elysia npm package, where improper handling of cookie values allows attackers to manipulate object prototype attributes. It carries a CVSS v3.1 score of 6.5 (Medium severity), indicating a moderate security risk with potential integrity and confidentiality impact. The flaw affects all versions prior to 1.4.27, exposing applications using these versions to unauthorized modification of cookie data structures. Exploitation is possible over the network with low attack complexity and requires no privileges or user interaction, making it relatively easy to abuse. The issue arises due to insufficient validation of user-supplied cookie names, specifically allowing special properties like __proto__ to override internal object behavior. Successful exploitation can lead to unintended property injection, potentially impacting application logic and data handling. While the vulnerability does not directly affect availability, it can alter application state and compromise trust boundaries.
RECOMMENDATION:
We strongly recommend you update elysia to version 1.4.27.
REFERENCES:
The following reports contain further technical details: