13.12.0
13 years ago
7 months ago
Known vulnerabilities in the validator package. This does not include vulnerabilities belonging to this package’s dependencies.
Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for freeVulnerability | Vulnerable Version |
---|---|
validator is a library of string validators and sanitizers. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the PoC
How to fix Regular Expression Denial of Service (ReDoS)? Upgrade | <13.6.0 |
validator is a library of string validators and sanitizers. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the PoC
How to fix Regular Expression Denial of Service (ReDoS)? Upgrade | <13.6.0 |
validator is a library of string validators and sanitizers. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the PoC
How to fix Regular Expression Denial of Service (ReDoS)? Upgrade | <13.6.0 |
Affected versions of this package are vulnerable to Buffer Overflow. It used a regular expression ( How to fix Buffer Overflow? Upgrade | <5.0.0 |
Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks. It used a regular expression in order to validate URLs. How to fix Regular Expression Denial of Service (ReDoS)? Update to version 3.22.1 or greater. | >=0.1.0 <3.22.1 |
validator is a module for Node.js contains functionality meant to filter potential XSS attacks (a filter called xss). A method of bypassing the filter via an encoded URL has been publicly disclosed. In general, because the function’s filtering is blacklist-based it is likely that other bypasses will be discovered in the future. Developers are encouraged not to use the xss filter function in this package. The xss() function removes the word "javascript" when contained inside an attribute. However, it does not properly handle cases where characters have been hex-encoded. As a result, it is possible to build an input that bypasses the filter but which the browser will accept as valid JavaScript. How to fix Cross-site Scripting (XSS)? Upgrade to the latest version of this library. However, it should be noted that the fix for this vulnerability was to remove the xss filter functionality. Seek another library to provide proper output encoding. | <2.0.0 |
The validator module for Node.js contains functionality meant to filter potential XSS attacks (a filter called xss). Several ways to bypass the filter were discovered. In general, because the function’s filtering is blacklist-based it is likely that other bypasses will be discovered in the future. Developers are encouraged not to use the xss filter function in this package. Source: Node Security Project DetailsVarious inputs that could bypass the filter were discovered: Improper parsing of nested tags:
Incomplete filtering of javascript: URIs:
UI Redressing:
Bypass via Nested Forbidden Strings:
Additional bypasses were discovered by Krzysztof Kotowicz in 2012 when auditing CodeIgniter's XSS filtering function, which this code was based off of. How to fix Cross-site Scripting (XSS)? If you are a developer currently using the xss filter function from the validator package, you should consider replacing it with the escape filter function from the same package. This function replaces all instances of angle brackets (<, >), ampersands, and quotation marks, so no HTML tags will be processed. | <1.1.1 |