Moderate severityNVD Advisory· Published Sep 30, 2025· Updated Sep 30, 2025
CVE-2025-56200
CVE-2025-56200
Description
A URL validation bypass vulnerability exists in validator.js through version 13.15.15. The isURL() function uses '://' as a delimiter to parse protocols, while browsers use ':' as the delimiter. This parsing difference allows attackers to bypass protocol and domain validation by crafting URLs leading to XSS and Open Redirect attacks.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
validatornpm | < 13.15.20 | 13.15.20 |
Affected products
10- validator.js/validator.jsdescription
- osv-coords9 versionspkg:apk/chainguard/redisinsightpkg:apk/chainguard/redisinsight-docker-entrypointpkg:apk/chainguard/safpkg:apk/chainguard/sqlpadpkg:apk/chainguard/sqlpad-compatpkg:apk/wolfi/safpkg:apk/wolfi/sqlpadpkg:apk/wolfi/sqlpad-compatpkg:npm/validator
< 3.0.0-r0+ 8 more
- (no CPE)range: < 3.0.0-r0
- (no CPE)range: < 2.70.1-r3
- (no CPE)range: < 1.5.2-r0
- (no CPE)range: < 7.5.7-r4
- (no CPE)range: < 7.5.7-r2
- (no CPE)range: < 1.5.2-r0
- (no CPE)range: < 7.5.7-r4
- (no CPE)range: < 7.5.7-r2
- (no CPE)range: < 13.15.20
Patches
Vulnerability mechanics
References
9- github.com/advisories/GHSA-9965-vmph-33xxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-56200ghsaADVISORY
- validatorjs.comghsaWEB
- gist.github.com/junan-98/27ae092aa40e2a057d41a0f95148f666ghsaWEB
- gist.github.com/junan-98/a93130505b258b9e4ec9f393e7533596ghsaWEB
- github.com/validatorjs/validator.js/commit/cbef5088f02d36caf978f378bb845fe49bdc0809ghsaWEB
- github.com/validatorjs/validator.js/issues/2600ghsaWEB
- github.com/validatorjs/validator.js/pull/2608ghsaWEB
- github.com/validatorjs/validator.js/releases/tag/13.15.20ghsaWEB
News mentions
0No linked articles in our index yet.