Summary

Two security issues found in Elysia's request parsing:

1. Query Type Confusion (Medium)

File: src/parse-query.ts:121-239

parseQueryStandardSchema (used with Zod/Valibot) auto-parses query values that look like JSON objects/arrays and splits commas into arrays. This happens before schema validation, so transform/derive hooks receive objects where strings were expected. Applications using noValidate are fully exposed.

Example: ?filter={"$gt":0} is parsed as an object instead of a string.

Fix: Don't auto-parse query values before validation, or at minimum only do so when the schema explicitly expects non-string types.

2. FormData Auto-Parse Prototype Pollution (Medium)

File: src/dynamic-handle.ts:126-169

normalizeFormValue auto-parses any form field value starting with { or [ as JSON. Parsed objects can carry __proto__ as an enumerable property, creating prototype pollution risk if downstream code merges/spreads these objects.

Fix: Strip __proto__, constructor, and prototype keys from parsed FormData objects (similar to how cookie parsing already does this).

Impact

• Type confusion can bypass application security logic that expects string query params
• Prototype pollution via FormData can affect application behavior

Affected Version

Current main branch