SNYK-JS-VALIDATOR-13395830
## Overview [validator](https://www.npmjs.com/package/validator) is a library of string validators and sanitizers. Affected versions of this package are vulnerable to Improper Validation of Specified Type of Input in the `isURL()` function which does not take into account `:` as the delimiter in browsers. An attackers can bypass protocol and domain validation by crafting URLs that exploit the discrepancy in protocol parsing that can lead to Cross-Site Scripting and Open Redirect attacks. ## Remediation Upgrade `validator` to version 13.15.20 or higher. ## References - [GitHub Commit](https://github.com/validatorjs/validator.js/commit/cbef5088f02d36caf978f378bb845fe49bdc0809) - [GitHub Gist](https://gist.github.com/junan-98/a93130505b258b9e4ec9f393e7533596) - [GitHub PR](https://github.com/validatorjs/validator.js/pull/2608)
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| 0 |
Timeline
- Apr 10, 2025 CVE Updated
- Oct 17, 2025 CVE Published
References
- https://security.snyk.io/vuln/SNYK-JS-VALIDATOR-13395830 advisory
- https://www.npmjs.com/package/validator vendor
- https://github.com/validatorjs/validator.js/commit/cbef5088f02d36caf978f378bb845fe49bdc0809 patch
- https://gist.github.com/junan-98/a93130505b258b9e4ec9f393e7533596 technical
- https://github.com/validatorjs/validator.js/pull/2608 patch