CVE-2025-12758

HIGH

Package Validator <13.15.22 - Incomplete Filtering

Title source: llm

Description

Versions of the package validator before 13.15.22 are vulnerable to Incomplete Filtering of One or More Instances of Special Elements in the isLength() function that does not take into account Unicode variation selectors (\uFE0F, \uFE0E) appearing in a sequence which lead to improper string length calculation. This can lead to an application using isLength for input validation accepting strings significantly longer than intended, resulting in issues like data truncation in databases, buffer overflows in other system components, or denial-of-service.

Exploits (1)

nomisec WORKING POC
by dajneem23 · poc
https://github.com/dajneem23/CVE-2025-12758

References (4)

Scores

CVSS v3 7.5
EPSS 0.0007
EPSS Percentile 22.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Classification

CWE
CWE-172 CWE-792
Status published

Affected Products (2)

validator_project/validator < 13.15.22
npm/validator < 13.15.22npm

Timeline

Published Nov 27, 2025
Tracked Since Feb 18, 2026