npm package
validator
pkg:npm/validator
Vulnerabilities (9)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-12758 | — | < 13.15.22 | 13.15.22 | Nov 27, 2025 | Versions of the package validator before 13.15.22 are vulnerable to Incomplete Filtering of One or More Instances of Special Elements in the isLength() function that does not take into account Unicode variation selectors (\uFE0F, \uFE0E) appearing in a sequence which lead to impr | ||
| CVE-2025-56200 | — | < 13.15.20 | 13.15.20 | Sep 30, 2025 | A URL validation bypass vulnerability exists in validator.js through version 13.15.15. The isURL() function uses '://' as a delimiter to parse protocols, while browsers use ':' as the delimiter. This parsing difference allows attackers to bypass protocol and domain validation by | ||
| CVE-2021-3765 | — | < 13.7.0 | 13.7.0 | Nov 2, 2021 | validator.js is vulnerable to Inefficient Regular Expression Complexity | ||
| CVE-2014-8882 | hig | — | < 3.22.1 | 3.22.1 | Aug 31, 2020 | Versions of `validator` prior to 3.22.1 are affected by a regular expression denial of service vulnerability in the `isURL` method. ## Recommendation Update to version 3.22.1 or later. | |
| CVE-2014-9772 | Med | 6.1 | < 2.0.0 | 2.0.0 | Jan 23, 2017 | The validator package before 2.0.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via hex-encoded characters. | |
| CVE-2013-7454 | Med | 6.1 | < 1.1.0 | 1.1.0 | Jan 23, 2017 | The validator module before 1.1.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via nested forbidden strings. | |
| CVE-2013-7453 | Med | 6.1 | < 1.1.0 | 1.1.0 | Jan 23, 2017 | The validator module before 1.1.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via vectors related to UI redressing. | |
| CVE-2013-7452 | Med | 6.1 | < 1.1.0 | 1.1.0 | Jan 23, 2017 | The validator module before 1.1.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via a crafted javascript URI. | |
| CVE-2013-7451 | Med | 6.1 | < 1.1.0 | 1.1.0 | Jan 23, 2017 | The validator module before 1.1.0 for Node.js allows remote attackers to bypass the XSS filter via a nested tag. |
- CVE-2025-12758Nov 27, 2025affected < 13.15.22fixed 13.15.22
Versions of the package validator before 13.15.22 are vulnerable to Incomplete Filtering of One or More Instances of Special Elements in the isLength() function that does not take into account Unicode variation selectors (\uFE0F, \uFE0E) appearing in a sequence which lead to impr
- CVE-2025-56200Sep 30, 2025affected < 13.15.20fixed 13.15.20
A URL validation bypass vulnerability exists in validator.js through version 13.15.15. The isURL() function uses '://' as a delimiter to parse protocols, while browsers use ':' as the delimiter. This parsing difference allows attackers to bypass protocol and domain validation by
- CVE-2021-3765Nov 2, 2021affected < 13.7.0fixed 13.7.0
validator.js is vulnerable to Inefficient Regular Expression Complexity
- affected < 3.22.1fixed 3.22.1
Versions of `validator` prior to 3.22.1 are affected by a regular expression denial of service vulnerability in the `isURL` method. ## Recommendation Update to version 3.22.1 or later.
- affected < 2.0.0fixed 2.0.0
The validator package before 2.0.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via hex-encoded characters.
- affected < 1.1.0fixed 1.1.0
The validator module before 1.1.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via nested forbidden strings.
- affected < 1.1.0fixed 1.1.0
The validator module before 1.1.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via vectors related to UI redressing.
- affected < 1.1.0fixed 1.1.0
The validator module before 1.1.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via a crafted javascript URI.
- affected < 1.1.0fixed 1.1.0
The validator module before 1.1.0 for Node.js allows remote attackers to bypass the XSS filter via a nested tag.