CVE-2025-56200
MediumCVSS 6.1Exploitation Probability (EPSS)
Low risk22th percentile - higher than 22% of all known CVEs
Summary
A URL validation bypass vulnerability exists in validator.js through version 13.15.15. The isURL() function uses '://' as a delimiter to parse protocols, while browsers use ':' as the delimiter. This parsing difference allows attackers to bypass protocol and domain validation by crafting URLs leading to XSS and Open Redirect attacks.
Risk Assessment
The organization is exposed to Cross-Site Scripting (XSS) and Open Redirect attacks, which can lead to data theft, session hijacking, or redirection to malicious sites.
Recommendation
Immediately update the validator.js library to version 13.15.16 or later, which includes a fix for this vulnerability.
Original NVD description (English source)
A URL validation bypass vulnerability exists in validator.js through version 13.15.15. The isURL() function uses '://' as a delimiter to parse protocols, while browsers use ':' as the delimiter. This parsing difference allows attackers to bypass protocol and domain validation by crafting URLs leading to XSS and Open Redirect attacks.

