Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-12758

Summary
Assigner-snyk
Assigner Org ID-bae035ff-b466-4ff4-94d0-fc9efd9e1730
Published At-27 Nov, 2025 | 05:00
Updated At-29 Jan, 2026 | 23:06
Rejected At-
Credits

Versions of the package validator before 13.15.22 are vulnerable to Incomplete Filtering of One or More Instances of Special Elements in the isLength() function that does not take into account Unicode variation selectors (\uFE0F, \uFE0E) appearing in a sequence which lead to improper string length calculation. This can lead to an application using isLength for input validation accepting strings significantly longer than intended, resulting in issues like data truncation in databases, buffer overflows in other system components, or denial-of-service.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:snyk
Assigner Org ID:bae035ff-b466-4ff4-94d0-fc9efd9e1730
Published At:27 Nov, 2025 | 05:00
Updated At:29 Jan, 2026 | 23:06
Rejected At:
▼CVE Numbering Authority (CNA)

Versions of the package validator before 13.15.22 are vulnerable to Incomplete Filtering of One or More Instances of Special Elements in the isLength() function that does not take into account Unicode variation selectors (\uFE0F, \uFE0E) appearing in a sequence which lead to improper string length calculation. This can lead to an application using isLength for input validation accepting strings significantly longer than intended, resulting in issues like data truncation in databases, buffer overflows in other system components, or denial-of-service.

Affected Products
Vendor
n/a
Product
validator
Versions
Affected
  • From 0 before 13.15.22 (semver)
Problem Types
TypeCWE IDDescription
N/AN/AIncomplete Filtering of One or More Instances of Special Elements
Type: N/A
CWE ID: N/A
Description: Incomplete Filtering of One or More Instances of Special Elements
Metrics
VersionBase scoreBase severityVector
3.17.5HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P
4.08.7HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P
Version: 4.0
Base score: 8.7
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Karol Wrótniak
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://security.snyk.io/vuln/SNYK-JS-VALIDATOR-13653476
N/A
https://gist.github.com/koral--/ad31208b25b9e3d1e2e35f1d4d72572e
N/A
https://github.com/validatorjs/validator.js/pull/2616
N/A
Hyperlink: https://security.snyk.io/vuln/SNYK-JS-VALIDATOR-13653476
Resource: N/A
Hyperlink: https://gist.github.com/koral--/ad31208b25b9e3d1e2e35f1d4d72572e
Resource: N/A
Hyperlink: https://github.com/validatorjs/validator.js/pull/2616
Resource: N/A
▼Authorized Data Publishers (ADP)
1. CISA ADP Vulnrichment
Affected Products
Problem Types
TypeCWE IDDescription
CWECWE-172CWE-172 Encoding Error
Type: CWE
CWE ID: CWE-172
Description: CWE-172 Encoding Error
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://security.snyk.io/vuln/SNYK-JS-VALIDATOR-13653476
exploit
Hyperlink: https://security.snyk.io/vuln/SNYK-JS-VALIDATOR-13653476
Resource:
exploit
2. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
http://seclists.org/fulldisclosure/2026/Jan/27
N/A
Hyperlink: http://seclists.org/fulldisclosure/2026/Jan/27
Resource: N/A
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:report@snyk.io
Published At:27 Nov, 2025 | 05:16
Updated At:29 Jan, 2026 | 23:16

Versions of the package validator before 13.15.22 are vulnerable to Incomplete Filtering of One or More Instances of Special Elements in the isLength() function that does not take into account Unicode variation selectors (\uFE0F, \uFE0E) appearing in a sequence which lead to improper string length calculation. This can lead to an application using isLength for input validation accepting strings significantly longer than intended, resulting in issues like data truncation in databases, buffer overflows in other system components, or denial-of-service.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.07.7HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Secondary3.17.5HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Type: Secondary
Version: 4.0
Base score: 7.7
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Secondary
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CPE Matches
validator_project
validator_project
>>validator>>Versions before 13.15.22(exclusive)
cpe:2.3:a:validator_project:validator:*:*:*:*:*:node.js:*:*
Weaknesses
CWE IDTypeSource
CWE-792Secondaryreport@snyk.io
CWE-172Secondary134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE ID: CWE-792
Type: Secondary
Source: report@snyk.io
CWE ID: CWE-172
Type: Secondary
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://gist.github.com/koral--/ad31208b25b9e3d1e2e35f1d4d72572ereport@snyk.io
Exploit
Third Party Advisory
https://github.com/validatorjs/validator.js/pull/2616report@snyk.io
Issue Tracking
Patch
https://security.snyk.io/vuln/SNYK-JS-VALIDATOR-13653476report@snyk.io
Exploit
Third Party Advisory
http://seclists.org/fulldisclosure/2026/Jan/27af854a3a-2127-422b-91ae-364da2661108
N/A
https://security.snyk.io/vuln/SNYK-JS-VALIDATOR-13653476134c704f-9b21-4f2e-91b3-4a467353bcc0
Exploit
Third Party Advisory
Hyperlink: https://gist.github.com/koral--/ad31208b25b9e3d1e2e35f1d4d72572e
Source: report@snyk.io
Resource:
Exploit
Third Party Advisory
Hyperlink: https://github.com/validatorjs/validator.js/pull/2616
Source: report@snyk.io
Resource:
Issue Tracking
Patch
Hyperlink: https://security.snyk.io/vuln/SNYK-JS-VALIDATOR-13653476
Source: report@snyk.io
Resource:
Exploit
Third Party Advisory
Hyperlink: http://seclists.org/fulldisclosure/2026/Jan/27
Source: af854a3a-2127-422b-91ae-364da2661108
Resource: N/A
Hyperlink: https://security.snyk.io/vuln/SNYK-JS-VALIDATOR-13653476
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Resource:
Exploit
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

1Records found
CVE-2021-3765
Matching Score-8
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-8
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-5.3||MEDIUM
EPSS-0.04% / 13.13%
||
7 Day CHG~0.00%
Published-02 Nov, 2021 | 07:05
Updated-03 Aug, 2024 | 17:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Inefficient Regular Expression Complexity in validatorjs/validator.js

validator.js is vulnerable to Inefficient Regular Expression Complexity

Action-Not Available
Vendor-validator_projectvalidatorjs
Product-validatorvalidatorjs/validator.js
CWE ID-CWE-1333
Inefficient Regular Expression Complexity
Details not found