CVE-2025-56200 — Cross-site Scripting in Project Validator

CWE-79 — Cross-site Scripting5 documents4 sources

Severity

6.1MEDIUMNVD

EPSS

0.0%

top 86.23%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Validator Project Validator

Timeline

PublishedSep 30

Description

A URL validation bypass vulnerability exists in validator.js through version 13.15.15. The isURL() function uses '://' as a delimiter to parse protocols, while browsers use ':' as the delimiter. This parsing difference allows attackers to bypass protocol and domain validation by crafting URLs leading to XSS and Open Redirect attacks.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶npmvalidator_project/validator< 13.15.20

▶NVDvalidator_project/validator3.15.15

🔴Vulnerability Details

OSV

validator.js has a URL validation bypass vulnerability in its isURL function↗2025-09-30

▶

OSV

CVE-2025-56200: A URL validation bypass vulnerability exists in validator↗2025-09-30

▶

GHSA

validator.js has a URL validation bypass vulnerability in its isURL function↗2025-09-30

▶

CVEList

CVE-2025-56200: A URL validation bypass vulnerability exists in validator↗2025-09-30

▶