Validator is Vulnerable to Incomplete Filtering of One or More Instances of Special Elements

Severity:: High

Description

Versions of the package validator before 13.15.22 are vulnerable to Incomplete Filtering of One or More Instances of Special Elements in the isLength() function that does not take into account Unicode variation selectors (\uFE0F, \uFE0E) appearing in a sequence which lead to improper string length calculation.

Recommendation

Update the validator package to the latest compatible version. Followings are version details:

Affected version(s): < 13.15.22
Patched version(s): 13.15.22

References

GHSA-vghf-hv5q-vc2g
security.snyk.io
seclists.org
CVE-2025-12758
CWE-172
CWE-792
CAPEC-310
OWASP 2021-A6

Related Issues

csvjson vulnerable to prototype injection - CVE-2025-57318
mongosh vulnerable to local privilege escalation - CVE-2025-1756
Manifest Uses a One-Way Hash without a Salt - CVE-2025-27408
Vega vulnerable to Cross-site Scripting via RegExp.prototype[@@replace] (GHSA-963h-3v39-3pqf) - CVE-2025-27793

Tags:: npm; validator

Anything's wrong? Let us know Last updated on January 31, 2026