A URL validation bypass vulnerability exists in validator.js through version 13.15.15. The isURL() function uses '://' as a delimiter to parse protocols, while browsers use ':' as the delimiter. This parsing difference allows attackers to bypass protocol and domain validation by crafting URLs leading to XSS and Open Redirect attacks.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| validator(npm) | 0 | 13.15.20 | N/A |
CVSS Metrics
