Main Vulnerability Database Vulnerabilities #VU123307

Incomplete Filtering of Special Elements in validator.js - CVE-2025-12758

Published: February 26, 2026

Vulnerability identifier: #VU123307

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2025-12758

CWE-ID: CWE-791

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: validatorjs

Affected software:
validator.js

Detailed vulnerability description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to Incomplete Filtering of One or More Instances of Special Elements in the isLength() function that does not take into account Unicode variation selectors (uFE0F, uFE0E) appearing in a sequence which lead to improper string length calculation. A remote attacker can trick an application into using isLength for input validation accepting strings significantly longer than intended, resulting in issues like data truncation in databases, buffer overflows in other system components, or denial-of-service

How to mitigate CVE-2025-12758

Install updates from vendor's website.

Incomplete Filtering of Special Elements in validator.js - CVE-2025-12758

Detailed vulnerability description

How to mitigate CVE-2025-12758

Sources

Please verify you're human