validator.js has a URL validation bypass vulnerability in its isURL function

Severity:: Medium

Description

A URL validation bypass vulnerability exists in validator.js prior to version 13.15.20. The isURL() function uses ‘://’ as a delimiter to parse protocols, while browsers use ‘:’ as the delimiter. This parsing difference allows attackers to bypass protocol and domain validation by crafting URLs leading to XSS and Open Redirect attacks.

Recommendation

Update the validator package to the latest compatible version. Followings are version details:

Affected version(s): < 13.15.20
Patched version(s): 13.15.20

References

GHSA-9965-vmph-33xx
validatorjs.com
CVE-2025-56200
CWE-79
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

Sentry's sensitive headers are leaked when `sendDefaultPii` is set to `true` - CVE-2025-65944
Server-Side Request Forgery via /_image endpoint in Astro Cloudflare adapter - CVE-2025-58179
CKEditor 5 cross-site scripting (XSS) vulnerability in the clipboard package - CVE-2025-58064
Payload's SQLite adapter Session Fixation vulnerability (GHSA-26rv-h2hf-3fw4) - CVE-2025-4644

Tags:: npm; validator

Anything's wrong? Let us know Last updated on October 27, 2025