Elysia Prototype Pollution Vulnerability Allowing Cookie Value Override

A prototype pollution vulnerability has been identified in the Elysia framework, prior to version 1.4.27. This issue allows for the manipulation of cookie values by injecting properties into the cookie's prototype, which can be exploited by sending a specially crafted cookie header. The vulnerability arises from insufficient validation of cookie values, enabling attackers to overwrite existing cookie properties or introduce new ones.

Impact

Exploitation of this vulnerability allows for prototype pollution, where an attacker can inject properties into an object's prototype, potentially leading to unexpected behavior in the application or framework.

Reproduction

To reproduce this vulnerability, send a request with a cookie header that includes a '__proto__' property. The value of this property can be a JSON string representing the injected prototype, such as an object with an 'injected' key. When the Elysia framework processes this cookie, it will inadvertently allow the prototype pollution to occur.

Remediation

Users can upgrade to Elysia version 1.4.27 or later, where this vulnerability has been patched. As an additional measure, use the framework's cookie validation features to enforce proper validation of cookie values and prevent iteration over cookie properties if possible.