CVE-2025-56200

EUVD-2025-31764
A URL validation bypass vulnerability exists in validator.js through version 13.15.15. The isURL() function uses '://' as a delimiter to parse protocols, while browsers use ':' as the delimiter. This parsing difference allows attackers to bypass protocol and domain validation by crafting URLs leading to XSS and Open Redirect attacks.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.1 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA-ADPADP
6.1 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 21%
Affected Products (NVD)
VendorProductVersion
validator_projectvalidator
𝑥
≤ 3.15.15
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://validatorjs.com
https://gist.github.com/junan-98/27ae092aa40e2a057d41a0f95148f666
https://gist.github.com/junan-98/a93130505b258b9e4ec9f393e7533596
https://github.com/validatorjs/validator.js