Login Sign Up

CVE-2025-12758

7.5 HIGH
Denial of Service

📋 TL;DR

The validator.js package's isLength() function incorrectly calculates string length when Unicode variation selectors (\uFE0F, \uFE0E) are present, allowing longer strings than intended to pass validation. This affects applications using validator.js versions before 13.15.22 for input validation, potentially leading to downstream security issues.

💻 Affected Systems

Products:
  • validator.js (JavaScript validation library)
Versions: All versions before 13.15.22
Operating Systems: All platforms running Node.js applications
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects applications using the isLength() function for input validation.

📦 What is this software?

Validator by Validator Project

View all CVEs affecting Validator →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Buffer overflows in downstream components, database corruption from data truncation, or denial-of-service through resource exhaustion.

🟠

Likely Case

Data truncation in databases causing application errors or data integrity issues.

🟢

If Mitigated

Minor validation bypass with limited impact if other validation layers exist.

🌐 Internet-Facing: MEDIUM - Exploitable via user input but requires specific conditions and downstream vulnerabilities.
🏢 Internal Only: LOW - Typically lower risk in controlled environments with trusted users.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Proof of concept available in GitHub references. Exploitation requires user input to reach vulnerable isLength() function.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 13.15.22

Vendor Advisory: https://github.com/validatorjs/validator.js/pull/2616

Restart Required: No

Instructions:

1. Update validator.js package to version 13.15.22 or later. 2. Run 'npm update validator' or 'yarn upgrade validator'. 3. Test application validation functionality.

🔧 Temporary Workarounds

Input sanitization workaround

all

Implement custom validation that strips Unicode variation selectors before length checking

// JavaScript example: input.replace(/[\uFE0F\uFE0E]/g, '') before isLength()

🧯 If You Can't Patch

  • Implement additional input validation layers independent of validator.js
  • Monitor for unusually long input strings in application logs

🔍 How to Verify

Check if Vulnerable:

Check package.json or node_modules/validator/package.json for version <13.15.22

Check Version:

npm list validator | grep validator

Verify Fix Applied:

Verify validator version is 13.15.22 or higher and test isLength() with strings containing \uFE0F/\uFE0E

📡 Detection & Monitoring

Log Indicators:

  • Unusually long input strings passing validation
  • Database truncation errors
  • Application validation failures

Network Indicators:

  • Large payloads containing Unicode variation selectors

SIEM Query:

Search for application logs containing '\uFE0F' or '\uFE0E' in user input fields

📊 Metadata

CVE ID: CVE-2025-12758
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-792
EPSS Score: 0.07% exploit probability (22.3th percentile)
Published: November 27, 2025
Last Updated: January 29, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON