Full Disclosure mailing list archives

From: Karol Wrótniak <karol.wrotniak () droidsonroids pl> Date: Wed, 28 Jan 2026 19:24:40 +0100

Summary
=======
A vulnerability was discovered in the popular JavaScript library
'validator'.
The isLength() function incorrectly handles Unicode Variation Selectors
(U+FE0E and U+FE0F). An attacker can inject thousands of these zero-width
characters into a string, causing the library to report a much smaller
perceived length than the actual byte size. This leads to validation
bypasses,
potential database truncation, and Denial of Service (DoS).

Metadata
========
CVE ID: CVE-2025-12758
Vulnerability Type: Incomplete Filtering of Special Elements (CWE-792)
Affected Package: validator (npm)
Affected Versions: < 13.15.22
Fixed Version: 13.15.22
CVSS Score: 7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

Description
===========
The 'validator' library's isLength() method is widely used to enforce
constraints on input data. However, the implementation failed to account
for
Unicode Variation Selectors. These are zero-width code points that modify
the
presentation of the preceding character (e.g., changing a text character
into
an emoji).

Because these characters have zero width but occupy bytes in memory (UTF-16
surrogate pairs or single code points depending on the environment), an
attacker can craft a payload that:
1. Appears to have a length of 1 (e.g., 'a' followed by 5000 variation
selectors).
2. isLength() reports it as length 1 or 2 (depending on internal logic).
3. The actual memory/storage size is massive (e.g., 10,000+ bytes).

Impact
======
- Denial of Service (DoS): Sending extremely large payloads that pass
length
checks can exhaust server memory or CPU during processing.
- Data Truncation: Databases with strict byte limits (e.g., VARCHAR(255))
may truncate the string, potentially leading to data corruption or
application logic errors.
- Security Bypass: Bypassing UI or API limits intended to prevent large
blobs of data.

Proof of Concept (PoC)
======================
const validator = require('validator');

// 'a' followed by many Variation Selector-16 (\uFE0F)
const payload = 'a' + '\uFE0F'.repeat(5000);

console.log("Actual length (chars):", payload.length); // 5001
console.log("Validator isLength(payload, {max: 5}):",
validator.isLength(payload, {max: 5}));

// In vulnerable versions, this returns 'true' because selectors
// were not properly counted or were ignored in a way that bypassed
// the total length check.

Fix
===
The issue was fixed in version 13.15.22 by implementing a surgical fix
that correctly identifies and counts valid Unicode pairs and variation
selectors, ensuring the reported length matches the actual data footprint
more accurately.

Timeline
========
- 2025-10-18: Vulnerability reported to maintainers by Karol Wrótniak.
- 2025-11-27: CVE-2025-12758 published.
- 2025-11-09: Fixed version 13.15.22 released.

References
==========
[1] https://www.thedroidsonroids.com/blog/when-zero-width-isnt-zero
[2] https://nvd.nist.gov/vuln/detail/CVE-2025-12758
[3] https://github.com/validatorjs/validator.js/releases/tag/13.15.22

--
*Karol Wrótniak *
Senior Android Developer

*/*
[image: Logo]

www.droidsonroids.com <https://www.thedroidsonroids.com/>
Wrocław, ul. Sikorskiego 26, 53-659 Poland

[image: Clutch Profile] <https://clutch.co/profile/droids-roids> [image:
Dribbble Profile] <https://dribbble.com/DroidsOnRoids> [image: Behance
Profile] <https://www.behance.net/droidsonroids> [image: Instagram Profile]
<https://www.instagram.com/droidsonroidsmobile/> [image: Github Profile]
<https://github.com/DroidsOnRoids> [image: X Profile]
<https://twitter.com/droidsonroids> [image: Facebook Profile]
<https://www.facebook.com/droidsonroids> [image: Linkedin Profile]
<https://pl.linkedin.com/company/droids-on-roids?trk=public_profile_topcard-current-company>
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Current thread:

• CVE-2025-12758: Unicode Variation Selectors Bypass in ‘validator’ library (isLength) Karol Wrótniak (Jan 29)