validator @12.2.0
String validation and sanitization
Maintainers
Keywords
Dev Dependencies (14)
| Package | Constraint | Registry Status |
|---|---|---|
| nyc | ^14.1.0 | auto_approved |
| mocha | ^5.1.1 | auto_approved |
| eslint | ^4.19.1 | auto_approved |
| rollup | ^0.43.0 | auto_approved |
| uglify-js | ^3.0.19 | auto_approved |
| @babel/cli | ^7.0.0 | auto_approved |
| @babel/core | ^7.0.0 | auto_approved |
| babel-eslint | ^10.0.1 | auto_approved |
| @babel/register | ^7.0.0 | auto_approved |
| @babel/preset-env | ^7.0.0 | auto_approved |
| rollup-plugin-babel | ^4.0.1 | auto_approved |
| eslint-plugin-import | ^2.11.0 | auto_approved |
| eslint-config-airbnb-base | ^12.1.0 | auto_approved |
| babel-plugin-add-module-exports | ^1.0.0 | auto_approved |
Changes from v11.1.0
Dependency Changes
Script Changes
+ build:es+ clean:esFile Changes
Risk Dispositions (4 applicable to this version, 0 other)
Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.
| Rule | Source | Disposition | Author | Reason | |
|---|---|---|---|---|---|
osv:GHSA-vghf-hv5q-vc2g |
osv | reject | AI | AI (osv): HIGH severity vulnerability fixed in 13.15.22; all versions < 13.15.22 are affected. | |
osv:GHSA-9965-vmph-33xx |
osv | reject | AI | AI (osv): URL validation bypass fixed in 13.15.20; all versions < 13.15.20 are affected. | |
osv:GHSA-qgmg-gppg-76g5 |
osv | reject | AI | AI (osv): ReDoS vulnerability fixed in 13.7.0; all versions < 13.7.0 are affected. | |
osv:GHSA-xx4c-jj58-r7x6 |
osv | reject | AI | AI (osv): ReDoS in rtrim/trim fixed in 13.7.0; affects >= 11.1.0, < 13.7.0. |
SAST Findings (5)
[Always reject] CVSS 6.1 (MEDIUM) — CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N A URL validation bypass vulnerability exists in validator.js prior to version 13.15.20. The isURL() function uses '://' as a delimiter to parse protocols, while browsers use ':' as the delimiter. This parsing difference allows attackers to bypass protocol and domain validation by crafting URLs leading to XSS and Open Redirect attacks.
[Always reject] CVSS 5.3 (MEDIUM) — CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L validator.js prior to 13.7.0 is vulnerable to Inefficient Regular Expression Complexity
[Always reject] CVSS 7.5 (HIGH) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Versions of the package validator before 13.15.22 are vulnerable to Incomplete Filtering of One or More Instances of Special Elements in the isLength() function that does not take into account Unicode variation selectors (\uFE0F, \uFE0E) appearing in a sequence which lead to improper string length calculation. This can lead to an application using isLength for input validation accepting strings significantly longer than intended, resulting in issues like data truncation in databases, buffer overflows in other system components, or denial-of-service.
[Always reject] CVSS 5.3 (MEDIUM) — CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L ### Impact Versions of `validator` prior to 13.7.0 are affected by an inefficient Regular Expression complexity when using the `rtrim` and `trim` sanitizers. ### Patches The problem has been patched in validator 13.7.0
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
Review Summary
Risk score: 100 (capped from 173). Findings: 4 critical (+160), 1 medium (+10), 1 low (+3).
Commit: 04b8b0a530ae Browse source
Published to npm: