CVE-2025-66020
📋 TL;DR
This CVE describes a Regular Expression Denial of Service (ReDoS) vulnerability in Valibot's emoji validation regex. Attackers can submit a short malicious string (<100 characters) that causes excessive CPU consumption, potentially leading to application DoS. This affects applications using Valibot versions 0.31.0 through 1.1.0 for data validation.
💻 Affected Systems
- Valibot
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete application denial of service, making the service unavailable to legitimate users for extended periods due to CPU exhaustion.
Likely Case
Degraded application performance or temporary unavailability when malicious inputs trigger the vulnerable regex pattern.
If Mitigated
Minimal impact with proper input validation and rate limiting in place before reaching the vulnerable regex.
🎯 Exploit Status
Exploitation requires submitting malicious input to endpoints using Valibot's emoji validation. No authentication needed if endpoint is public.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.2.0
Vendor Advisory: https://github.com/open-circle/valibot/security/advisories/GHSA-vqpr-j7v3-hqw9
Restart Required: No
Instructions:
1. Update Valibot dependency to version 1.2.0 or later. 2. Run npm update valibot or yarn upgrade valibot. 3. Test application functionality with emoji validation.
🔧 Temporary Workarounds
Disable emoji validation
allRemove or disable the emoji action/validation from your Valibot schemas
Implement input length limits
allAdd input length validation before the vulnerable regex is executed
🧯 If You Can't Patch
- Implement WAF rules to block suspicious regex patterns or limit input length
- Add rate limiting to endpoints using emoji validation to prevent mass exploitation
🔍 How to Verify
Check if Vulnerable:
Check package.json or package-lock.json for Valibot version between 0.31.0 and 1.1.0Check Version:
npm list valibot or yarn list valibotVerify Fix Applied:
Confirm Valibot version is 1.2.0 or higher in package.json📡 Detection & Monitoring
Log Indicators:
- High CPU usage spikes
- Slow response times on validation endpoints
- Repeated failed validation attempts
Network Indicators:
- Multiple requests with unusual character patterns
- Requests containing complex emoji-like strings
SIEM Query:
source="application_logs" AND (message="CPU spike" OR message="slow validation") AND process="node"