Vulnerability Description
A URL validation bypass vulnerability exists in validator.js through version 13.15.15. The isURL() function uses '://' as a delimiter to parse protocols, while browsers use ':' as the delimiter. This parsing difference allows attackers to bypass protocol and domain validation by crafting URLs leading to XSS and Open Redirect attacks.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Validator Project | Validator | <= 3.15.15 |
Related Weaknesses (CWE)
References
- http://validatorjs.comBroken Link
- https://gist.github.com/junan-98/27ae092aa40e2a057d41a0f95148f666ExploitThird Party Advisory
- https://gist.github.com/junan-98/a93130505b258b9e4ec9f393e7533596ExploitThird Party Advisory
- https://github.com/validatorjs/validator.jsProduct
FAQ
What is CVE-2025-56200?
CVE-2025-56200 is a vulnerability with a CVSS score of 6.1 (MEDIUM). A URL validation bypass vulnerability exists in validator.js through version 13.15.15. The isURL() function uses '://' as a delimiter to parse protocols, while browsers use ':' as the delimiter. This ...
How severe is CVE-2025-56200?
CVE-2025-56200 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-56200?
Check the references section above for vendor advisories and patch information. Affected products include: Validator Project Validator.