validator.js has a URL validation bypass vulnerability in its isURL function
- Severity:
- Medium
Description
A URL validation bypass vulnerability exists in validator.js prior to version 13.15.20. The isURL() function uses ‘://’ as a delimiter to parse protocols, while browsers use ‘:’ as the delimiter. This parsing difference allows attackers to bypass protocol and domain validation by crafting URLs leading to XSS and Open Redirect attacks.
Recommendation
Update the validator package to the latest compatible version. Followings are version details:
- Affected version(s): < 13.15.20
- Patched version(s): 13.15.20
References
Related Issues
- node-forge has an Interpretation Conflict vulnerability via its ASN.1 Validator Desynchronization - CVE-2025-12816
- systeminformation has a Command Injection vulnerability in fsSize() function on Windows - CVE-2025-68154
- Astro has an Authentication Bypass via Double URL Encoding, a bypass for CVE-2025-64765 - CVE-2025-66202
- Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions (GHSA-xxjr-mmjv-4gpg) 2 - CVE-2025-13465
- Tags:
- npm
- validator
Anything's wrong? Let us know Last updated on October 27, 2025