High severity7.5OSV Advisory· Published Nov 26, 2025· Updated Apr 15, 2026
CVE-2025-66020
CVE-2025-66020
Description
Valibot helps validate data using a schema. In versions from 0.31.0 to 1.1.0, the EMOJI_REGEX used in the emoji action is vulnerable to a Regular Expression Denial of Service (ReDoS) attack. A short, maliciously crafted string (e.g., <100 characters) can cause the regex engine to consume excessive CPU time (minutes), leading to a Denial of Service (DoS) for the application. This issue has been patched in version 1.2.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
valibotnpm | >= 0.31.0, < 1.2.0 | 1.2.0 |
Affected products
2- Range: 1.0.0-beta.0-to-json-schema, v0.1.0-to-json-schema, v0.1.1-to-json-schema, …
Patches
Vulnerability mechanics
References
4News mentions
0No linked articles in our index yet.