CVE-2025-12758

moderate-risk
Published 2025-11-27

Versions of the package validator before 13.15.22 are vulnerable to Incomplete Filtering of One or More Instances of Special Elements in the isLength() function that does not take into account Unicode variation selectors (\uFE0F, \uFE0E) appearing in a sequence which lead to improper string length calculation. This can lead to an application using isLength for input validation accepting strings significantly longer than intended, resulting in issues like data truncation in databases, buffer overflows in other system components, or denial-of-service.

Do I need to act?

-
0.10% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10 High
NETWORK / LOW complexity

Affected Products (1)

Validator

Affected Vendors

Validator Project

References (5)

Exploit https://gist.github.com/koral--/ad31208b25b9e3d1e2e35f1d4d72572e
Issue Tracking https://github.com/validatorjs/validator.js/pull/2616
Exploit https://security.snyk.io/vuln/SNYK-JS-VALIDATOR-13653476
http://seclists.org/fulldisclosure/2026/Jan/27
Exploit https://security.snyk.io/vuln/SNYK-JS-VALIDATOR-13653476
31
/ 100
moderate-risk
Severity 26/34 · High
Exploitability 0/34 · Minimal
Exposure 5/34 · Minimal