CVE Catalog

CVE-2025-56200

MediumCVSS 6.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.30%

22th percentile - higher than 22% of all known CVEs

Summary

A URL validation bypass vulnerability exists in validator.js through version 13.15.15. The isURL() function uses '://' as a delimiter to parse protocols, while browsers use ':' as the delimiter. This parsing difference allows attackers to bypass protocol and domain validation by crafting URLs leading to XSS and Open Redirect attacks.

Risk Assessment

The organization is exposed to Cross-Site Scripting (XSS) and Open Redirect attacks, which can lead to data theft, session hijacking, or redirection to malicious sites.

Recommendation

Immediately update the validator.js library to version 13.15.16 or later, which includes a fix for this vulnerability.

Original NVD description (English source)

A URL validation bypass vulnerability exists in validator.js through version 13.15.15. The isURL() function uses '://' as a delimiter to parse protocols, while browsers use ':' as the delimiter. This parsing difference allows attackers to bypass protocol and domain validation by crafting URLs leading to XSS and Open Redirect attacks.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS