Reflected cross-site scripting (XSS) In validator
Description
validator.js has a URL validation bypass vulnerability in its isURL function A URL validation bypass vulnerability exists in validator.js prior to version 13.15.20. The isURL() function uses '://' as a delimiter to parse protocols, while browsers use ':' as the delimiter. This parsing difference allows attackers to bypass protocol and domain validation by crafting URLs leading to XSS and Open Redirect attacks.
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 npm | 13.15.20 |
Aliases
1. 2. 3. 4.
References
1. 2. 3. 4. 5. 6. 7.