#VU123307 Incomplete Filtering of Special Elements in validator.js - CVE-2025-12758
Published: February 26, 2026
Vulnerability identifier: #VU123307
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2025-12758
CWE-ID: CWE-791
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
validator.js
validator.js
Software vendor:
validatorjs
validatorjs
Description
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to Incomplete Filtering of One or More Instances of Special Elements in the isLength() function that does not take into account Unicode variation selectors (uFE0F, uFE0E) appearing in a sequence which lead to improper string length calculation. A remote attacker can trick an application into using isLength for input validation accepting strings significantly longer than intended, resulting in issues like data truncation in databases, buffer overflows in other system components, or denial-of-service
Remediation
Install updates from vendor's website.