Validator is Vulnerable to Incomplete Filtering of One or More Instances of Special Elements
- Severity:
- High
Description
Versions of the package validator before 13.15.22 are vulnerable to Incomplete Filtering of One or More Instances of Special Elements in the isLength() function that does not take into account Unicode variation selectors (\uFE0F, \uFE0E) appearing in a sequence which lead to improper string length calculation.
Recommendation
Update the validator package to the latest compatible version. Followings are version details:
- Affected version(s): < 13.15.22
- Patched version(s): 13.15.22
References
Related Issues
- Saltcorn's Reflected XSS and Command Injection vulnerabilities can be chained for 1-click-RCE - Vulnerability
- validator.js has a URL validation bypass vulnerability in its isURL function - CVE-2025-56200
- @pdfme/common vulnerable to to XSS and Prototype Pollution through its expression evaluation - CVE-2025-53626
- @saltcorn/server arbitrary file and directory listing when accessing build mobile app results - Vulnerability
- Tags:
- npm
- validator
Anything's wrong? Let us know Last updated on January 31, 2026