Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.5
Elysia URL Format Can Be Slow or Crashed by Repeated Input
CVE-2026-30837
GHSA-f45g-68q3-5w8x
GHSA-f45g-68q3-5w8x
Summary
A bug in Elysia's URL format can cause a slowdown or crash when given a long string of URL parts. This can happen if a user enters a very long URL or if a malicious user tries to overload the system with excessive input. To protect your system, update Elysia to version 1.4.26 or use a custom fix or a workaround to limit URL length.
What to do
- Update elysia to version 1.4.26.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | elysia | <= 1.4.26 | 1.4.26 |
Original title
Elysia has a string URL format ReDoS
Original description
### Impact
`t.String({ format: 'url' })` is vulnerable to redos
Repeating a partial url format (protocol and hostname) multiple times cause regex to slow down significantly
```js
'http://a'.repeat(n)
```
Here's a table demonstrating how long it takes to process repeated partial url format
| `n` repeat | elapsed_ms |
| --- | --- |
| 1024 | 33.993 |
| 2048 | 134.357 |
| 4096 | 537.608 |
| 8192 | 2155.842 |
| 16384 | 8618.457 |
| 32768 | 34604.139 |
### Patches
Patched by 1.4.26, please kindly update `elysia` to >= 1.4.26
Here's how long it takes after the patch
| `n` repeat | elapsed_ms |
| --- | --- |
| 1024 | 0.194 |
| 2048 | 0.274 |
| 4096 | 0.455 |
| 8192 | 0.831 |
| 16384 | 1.632 |
| 32768 | 3.052 |
### Workarounds
1. It's recommended to always limit URL format to a reasonable length
```ts
t.String({
format: 'url',
maxLength: 288
})
```
2. If a long URL format is necessary, to patch this without updating to 1.4.26, add the following code to any part of your codebase
```js
import { FormatRegistry } from '@sinclair/typebox'
FormatRegistry.Delete('url')
FormatRegistry.Set('url', (value) =>
/^(?:https?|ftp):\/\/(?:[^\s:@]+(?::[^\s@]*)?@)?(?:(?!(?:10|127)(?:\.\d{1,3}){3})(?!(?:169\.254|192\.168)(?:\.\d{1,3}){2})(?!172\.(?:1[6-9]|2\d|3[0-1])(?:\.\d{1,3}){2})(?:[1-9]\d?|1\d\d|2[01]\d|22[0-3])(?:\.(?:1?\d{1,2}|2[0-4]\d|25[0-5])){2}(?:\.(?:[1-9]\d?|1\d\d|2[0-4]\d|25[0-4]))|(?:(?:[a-z0-9\u{00a1}-\u{ffff}]+-)*[a-z0-9\u{00a1}-\u{ffff}]+)(?:\.(?:[a-z0-9\u{00a1}-\u{ffff}]+-)*[a-z0-9\u{00a1}-\u{ffff}]+)*(?:\.(?:[a-z\u{00a1}-\u{ffff}]{2,})))(?::\d{2,5})?(?:\/[^\s]*)?$/iu.test(
value
)
)
```
`t.String({ format: 'url' })` is vulnerable to redos
Repeating a partial url format (protocol and hostname) multiple times cause regex to slow down significantly
```js
'http://a'.repeat(n)
```
Here's a table demonstrating how long it takes to process repeated partial url format
| `n` repeat | elapsed_ms |
| --- | --- |
| 1024 | 33.993 |
| 2048 | 134.357 |
| 4096 | 537.608 |
| 8192 | 2155.842 |
| 16384 | 8618.457 |
| 32768 | 34604.139 |
### Patches
Patched by 1.4.26, please kindly update `elysia` to >= 1.4.26
Here's how long it takes after the patch
| `n` repeat | elapsed_ms |
| --- | --- |
| 1024 | 0.194 |
| 2048 | 0.274 |
| 4096 | 0.455 |
| 8192 | 0.831 |
| 16384 | 1.632 |
| 32768 | 3.052 |
### Workarounds
1. It's recommended to always limit URL format to a reasonable length
```ts
t.String({
format: 'url',
maxLength: 288
})
```
2. If a long URL format is necessary, to patch this without updating to 1.4.26, add the following code to any part of your codebase
```js
import { FormatRegistry } from '@sinclair/typebox'
FormatRegistry.Delete('url')
FormatRegistry.Set('url', (value) =>
/^(?:https?|ftp):\/\/(?:[^\s:@]+(?::[^\s@]*)?@)?(?:(?!(?:10|127)(?:\.\d{1,3}){3})(?!(?:169\.254|192\.168)(?:\.\d{1,3}){2})(?!172\.(?:1[6-9]|2\d|3[0-1])(?:\.\d{1,3}){2})(?:[1-9]\d?|1\d\d|2[01]\d|22[0-3])(?:\.(?:1?\d{1,2}|2[0-4]\d|25[0-5])){2}(?:\.(?:[1-9]\d?|1\d\d|2[0-4]\d|25[0-4]))|(?:(?:[a-z0-9\u{00a1}-\u{ffff}]+-)*[a-z0-9\u{00a1}-\u{ffff}]+)(?:\.(?:[a-z0-9\u{00a1}-\u{ffff}]+-)*[a-z0-9\u{00a1}-\u{ffff}]+)*(?:\.(?:[a-z\u{00a1}-\u{ffff}]{2,})))(?::\d{2,5})?(?:\/[^\s]*)?$/iu.test(
value
)
)
```
nvd CVSS3.1
7.5
Vulnerability type
CWE-1333
Inefficient Regular Expression Complexity (ReDoS)
Published: 10 Mar 2026 · Updated: 13 Mar 2026 · First seen: 10 Mar 2026