A URL validation bypass vulnerability exists in validator.js through version 13.15.15. The isURL() function uses '://' as a delimiter to parse protocols, while browsers use ':' as the delimiter. This parsing difference allows attackers to bypass protocol and domain validation by crafting URLs leading to XSS and Open Redirect attacks.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/56xxx/CVE-2025-56200.json",
"cna_assigner": "mitre"
}