Skip to content

[GHSA-9965-vmph-33xx] validator.js has a URL validation bypass vulnerability in its isURL function #6341

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

[GHSA-9965-vmph-33xx] validator.js has a URL validation bypass vulnerability in its isURL function #6341

wants to merge 1 commit into from

Conversation

@G-Rath
Copy link

@G-Rath G-Rath commented Oct 22, 2025

Updates

  • Affected products
  • Description
  • References

Comments
Updated patch version

Copilot AI review requested due to automatic review settings October 22, 2025 23:07
Copilot AI reviewed Oct 22, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds a new security advisory for validator.js documenting a URL validation bypass vulnerability (CVE-2025-56200) that affects versions prior to 13.15.15. The vulnerability allows attackers to bypass protocol and domain validation due to parsing differences between the isURL() function and browsers, potentially leading to XSS and Open Redirect attacks.

  • Documents CVE-2025-56200 affecting validator.js versions before 13.15.15
  • Includes vulnerability details, CVSS score (MODERATE severity), and references to issues, PRs, and gists
  • Specifies CWE-79 (XSS) as the weakness type

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

@G-Rath
Copy link
Author

G-Rath commented Oct 22, 2025

ek nope I have that mixed up - new version should hopefully be released in the next day or so, but not yet out 😅

@G-Rath G-Rath closed this Oct 22, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@G-Rath