CVE-2025-56200
MEDIUM6.1EPSS 0.05%validator.js has a URL validation bypass vulnerability in its isURL function
Published: 9/30/2025Modified: 2/4/2026
Description
A URL validation bypass vulnerability exists in validator.js prior to version 13.15.20. The isURL() function uses '://' as a delimiter to parse protocols, while browsers use ':' as the delimiter. This parsing difference allows attackers to bypass protocol and domain validation by crafting URLs leading to XSS and Open Redirect attacks.
Affected packages (1)
- npm/validatorfrom 0, < 13.15.20
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
References (9)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-56200
- PATCHhttps://github.com/validatorjs/validator.js
- WEBhttps://gist.github.com/junan-98/27ae092aa40e2a057d41a0f95148f666
- WEBhttps://gist.github.com/junan-98/a93130505b258b9e4ec9f393e7533596
- WEBhttps://github.com/validatorjs/validator.js/commit/cbef5088f02d36caf978f378bb845fe49bdc0809
- WEBhttps://github.com/validatorjs/validator.js/issues/2600
- WEBhttps://github.com/validatorjs/validator.js/pull/2608
- WEBhttps://github.com/validatorjs/validator.js/releases/tag/13.15.20
- WEBhttp://validatorjs.com