CVE-2025-56200: validator.js has a URL validation bypass vulnerability in its isURL function
(updated )
A URL validation bypass vulnerability exists in validator.js prior to version 13.15.20. The isURL() function uses ‘://’ as a delimiter to parse protocols, while browsers use ‘:’ as the delimiter. This parsing difference allows attackers to bypass protocol and domain validation by crafting URLs leading to XSS and Open Redirect attacks.
References
- gist.github.com/junan-98/27ae092aa40e2a057d41a0f95148f666
- gist.github.com/junan-98/a93130505b258b9e4ec9f393e7533596
- github.com/advisories/GHSA-9965-vmph-33xx
- github.com/validatorjs/validator.js
- github.com/validatorjs/validator.js/commit/cbef5088f02d36caf978f378bb845fe49bdc0809
- github.com/validatorjs/validator.js/issues/2600
- github.com/validatorjs/validator.js/pull/2608
- github.com/validatorjs/validator.js/releases/tag/13.15.20
- nvd.nist.gov/vuln/detail/CVE-2025-56200
Code Behaviors & Features
Detect and mitigate CVE-2025-56200 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →