CVE-2025-12758

Description

Versions of the package validator before 13.15.22 are vulnerable to Incomplete Filtering of One or More Instances of Special Elements in the isLength() function that does not take into account Unicode variation selectors (\uFE0F, \uFE0E) appearing in a sequence which lead to improper string length calculation. This can lead to an application using isLength for input validation accepting strings significantly longer than intended, resulting in issues like data truncation in databases, buffer overflows in other system components, or denial-of-service.

CVSS v3.1 Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Weakness Type (CWE)

CWE-792 CWE-792

CWE-172 CWE-172

Affected Products

Vendor	Product	Versions
validator_project	validator	< 13.15.22

References

Advisories & Patches

https://github.com/validatorjs/validator.js/pull/2616

Exploits

https://gist.github.com/koral--/ad31208b25b9e3d1e2e35f1d4d72572e https://security.snyk.io/vuln/SNYK-JS-VALIDATOR-13653476 https://security.snyk.io/vuln/SNYK-JS-VALIDATOR-13653476

Other References

http://seclists.org/fulldisclosure/2026/Jan/27

Frequently Asked Questions

What is CVE-2025-12758? +

Versions of the package validator before 13.15.22 are vulnerable to Incomplete Filtering of One or More Instances of Special Elements in the isLength() function that does not take into account Unicode variation selectors (\uFE0F, \uFE0E) appearing in a sequence which lead to improper string length calculation. This can lead to an application using isLength for input validation accepting strings significantly longer than intended, resulting in issues like data truncation in databases, buffer overflows in other system components, or denial-of-service. It has a CVSS v3.1 base score of 7.5 (HIGH).

How severe is CVE-2025-12758? +

CVE-2025-12758 has a CVSS v3.1 score of 7.5 out of 10, rated HIGH. This is a high-severity vulnerability that should be prioritized for patching.

What products are affected by CVE-2025-12758? +

CVE-2025-12758 affects products from validator_project, specifically: validator. Check the affected products table above for specific version ranges.

How do I check if I'm vulnerable to CVE-2025-12758? +

You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2025-47779 7.7

Asterisk is an open-source private branch exchange (PBX). Prior to versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions …

CVE-2025-56200 6.1

A URL validation bypass vulnerability exists in validator.js through version 13.15.15. The isURL() function uses '://' as a delimiter to …