Validator is Vulnerable to Incomplete Filtering of One or More Instances of Special Elements

Severity:: High

Description

Versions of the package validator before 13.15.22 are vulnerable to Incomplete Filtering of One or More Instances of Special Elements in the isLength() function that does not take into account Unicode variation selectors (\uFE0F, \uFE0E) appearing in a sequence which lead to improper string length calculation.

Recommendation

Update the validator package to the latest compatible version. Followings are version details:

Affected version(s): < 13.15.22
Patched version(s): 13.15.22

References

GHSA-vghf-hv5q-vc2g
security.snyk.io
seclists.org
CVE-2025-12758
CWE-172
CWE-792
CAPEC-310
OWASP 2021-A6

Related Issues

counterpart vulnerable to prototype pollution - CVE-2025-57354
SvelteKit is vulnerable to denial of service and possible SSRF when using prerendering - CVE-2025-67647
Signal K Server Vulnerable to Denial of Service via Unrestricted Access Request Flooding - CVE-2025-68272
Signal K Server Vulnerable to Unauthenticated Information Disclosure via Exposed Endpoints - CVE-2025-68273

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:: npm; validator

Anything's wrong? Let us know Last updated on January 31, 2026