GHSA-vghf-hv5q-vc2g

Suggest an improvement
Source
https://github.com/advisories/GHSA-vghf-hv5q-vc2g
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/11/GHSA-vghf-hv5q-vc2g/GHSA-vghf-hv5q-vc2g.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-vghf-hv5q-vc2g
Aliases
Downstream
Published
2025-11-27T06:31:25Z
Modified
2025-12-02T17:37:30.680652Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
  • 7.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator
Summary
Validator is Vulnerable to Incomplete Filtering of One or More Instances of Special Elements
Details

Versions of the package validator before 13.15.22 are vulnerable to Incomplete Filtering of One or More Instances of Special Elements in the isLength() function that does not take into account Unicode variation selectors (\uFE0F, \uFE0E) appearing in a sequence which lead to improper string length calculation. This can lead to an application using isLength for input validation accepting strings significantly longer than intended, resulting in issues like data truncation in databases, buffer overflows in other system components, or denial-of-service.

Database specific 
{
    "nvd_published_at": "2025-11-27T05:16:12Z",
    "cwe_ids": [
        "CWE-792"
    ],
    "github_reviewed_at": "2025-12-02T16:51:42Z",
    "severity": "HIGH",
    "github_reviewed": true
}
References

Affected packages

npm / validator

Package

Name
validator
View open source insights on deps.dev
Purl
pkg:npm/validator

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
13.15.22