CVE-2025-12758 is a high-severity vulnerability (CVSS 7.5) discovered in the popular JavaScript 'validator' library. The flaw resides in the isLength() function, which fails to correctly account for Unicode Variation Selectors (U+FE0E and U+FE0F). These zero-width characters allow an attacker to craft payloads that appear small to the validator while occupying significant memory and storage space.
The impact of this bypass includes Denial of Service (DoS) through memory exhaustion, data truncation in databases with strict byte limits, and general security bypasses where length constraints are intended to prevent large data blobs. By injecting thousands of variation selectors, an attacker can bypass API limits, potentially leading to application logic errors or system crashes.
Users of the 'validator' npm package are urged to upgrade to version 13.15.22 immediately. This patch implements a surgical fix to ensure that Unicode pairs and selectors are correctly counted, reflecting the actual data footprint of the input string.
Top comments (0)